From bee67c865ce861174fb08dd6af4d5022806d93e6 Mon Sep 17 00:00:00 2001 From: dhwanishah-crest Date: Wed, 30 Oct 2024 21:48:30 +0530 Subject: [PATCH 1/2] Infoblox Insight ID Bug Fix --- Solutions/Infoblox/Package/3.0.1.zip | Bin 0 -> 146208 bytes Solutions/Infoblox/Package/mainTemplate.json | 124 +++++++++--------- .../Infoblox/Workbooks/Infoblox_Workbook.json | 2 +- 3 files changed, 63 insertions(+), 63 deletions(-) create mode 100644 Solutions/Infoblox/Package/3.0.1.zip diff --git a/Solutions/Infoblox/Package/3.0.1.zip b/Solutions/Infoblox/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..7b774da6e92c7e2e00b489f5845a236adf0d7c7b GIT binary patch literal 146208 zcmV)RK(oJ4O9KQH0000800)U)Sq1v!7^w{a0CPD202crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH?OSbc+{O|9UZDSBaV?;`!@bx_(-cOXK#}BFs1m!95~Gj|V~^as+la?y zxJyZw)Ik15zxJo)m-Lxga>=`+WXrZ(I|&dt61kk6_kDI|^wS^zAVlZSHkzx2>^u;i zxpSF)Fdq9SqlHZ6Of6LEM)JoZSEI-*%6E2rZ*+gOJC>LL-+=37-UfHaCoylA- zl*1yd_=z6jVPw*&p4AWVNZV)nN14ZXIF*T2gYae|t&SRB^TSx#DA$=QcmBIx%!JLO zhi5@Mxx5_Bw3`=`!m1oQI?@p7h9&X;4v+Crrz#mkSzvN}XlBNabviYZ#9X~d@axE4 z%+5OEQpau%`k#H8UE$Zc(zCe>zkhy~o~8Z%H^!+4{l0jbC~1|*)l}ue8R6ziOihxQ zOP$WdL`_YugifuKNkUKPy){We@;nek>zAMZD~?!^D=)?Ak@B=@EBm}#iR(qZUOtyA zRS9`q60_rjQqXZpm5GiPagSIK#KXy4fz^dvf@^Vlo|?;4Xlsk+-trt?XvenPtK!x2 zYQMNAGL<_CuOn$mA=-+HkAcWG^|jbk(}=hNL!x3kP=IoC5qwotQiD?gPtmhf#Y9%6 zaP3I3MkATYiB1p&$_g{ZH&Kymw-isnsbv1eF6h8>Mfdp0Zcj{>;KivKy@eDqqD69& z5Q|QM!HGIt$lybC$^&lUVv`iEX{eKNLDTPr!LhRHsX3FIP4*DZkHPal8Pd zZcedng)O4FkQO#iE+zC&A26HhYN`|GIT;AOU}m5QgA@P*30r9}GuBbE5YLD)tK=e4 z)(Ri>MJWoAg=hr~aG|h)olgwn-wsy&U8NSJNGRz9Lf+{}Hnvh1;NA-2b77Fu;4pD% zfjn0Ua#cKlb>UVUCWBkdT}jv?JisNiUaA3>a*9_s6lNjPS-Pfr2tH9M5~}l7CGKUG z{qpmFz!p2$lJ)E@cb#WIpJ|j7F>y)x%4;3*PY&f=t|w)rfIU;p=Hf!;+7wnK#+(_2IA!2{MHnC zq+p*Qd?ZtnCoUq$&Z&jJSy0p}=saT6>hwZcr)L#cCk^wmmZnAO?c#%R5Im4HeNfry z2?XJENLx_o?6c_yLM<|L$y=9fLEG?xf;5Lyj9A0&kR0(lHBn*NXVZp%YP=p%2|RU3LvukmDJ?4M=Q z2`UaNNW2T5bD79y`tkMwTT&;``Az=x>6ExN2cGS(AhO<3N4%55;*vD0H&YH9AVDC z|CN4!2JK8BD?iz$Cp+ZNu%qpufwDCZX!b@`s9WjsAmcG_L_E?iM6B zWIWt?7DQ=s<(3&Qsm&7HdbE=-b~26Vbh$}ZzXFmv(IiEOK^P$)LV`F$YUlCTL6JO@XdLd)B|AxrRNZW72yi;meoLN>zS zCNGGwV@x+7hJ6Xy-K03@!q*Ltu(xyx9L>NG&b9}RiocTyOwI;e$gJxfvg^a6yR{ks zTfNZ*Egy(-T~9pxoDXb*DP3m{2{D!LVEG5E(*E}47D%sncIn$10B$o!G&NSIq~@a1(Vkb?1K=fl zW%8h`8ifTN@|cdO~mK?EaAO*2Z~rZG40>mBWYob$JQr%cZ{#1itw0T|usq_?Id8VnD}E0Aj$Y4#y82J>`v8 zEa7HtSN0G~Be65}*t4}vG6?rce??UuG;?8LjX?(fRqwc<@l7zHHL{VzhD) zHgeax3%;(|wm)98d5)^e$l-6%dY^o}*8437-CsUlv;7`)_S4_3_Yue5kO5-;o^7aF z0#JIantNCdfSpOMEs;6;k{RCA)DJ^ko>0dwPVX%5^Fm7@e&mA;4{ zbQfYxHE0kOqyTO>@V0y_uU|F`tyFu8sa*il@z9we{wGkDL5l}3tExJc_S3pHRTjY^ z+d#|x5t4r0n{a=dXXQ-Y8YAUX(Xq zqdIU{u2{W}qP>f&C{jvQ!PpI1iK6P7x>$#LLaX2HnY3ASdU^eos-45zUZw(P@BeVI z8=0wMri;!f;(V@>jKGsGR8miT{otB7eHDJgW3(K6k-cfJJ3Jj~ z#dA1*P$BL@O=_bsvn{ zO7!j4$-&sM@w@QyfHwLx{wvr2?@?- zXsS&$!6~hh*mnm(OG&hX!J?NNsg$ds)FmW|sXJHpWF3GIBp?P!&)nenQPmC6hFt3@ zttBis9z1{ZINiRBIK8s~ZLe0n_W%u%NhYs7s_I)&zZkW7AFikbBjl{U;;?zJ(k34W z4^J8om{Z^Q9hCn(-bK6~(|iH0Nhos-#14-^kS8^J$YocUobdo1HRUj6S7rc?6|WCJ znSky*-wV3C`;U5lprSDbf@3(1G48@Q2tTjVns_)ss^)n>`8=5s8luF`ei-Z~lF z8jpwOYdapV`u^_*kGF32mUz6K!`tHVz}bg@$5#h5E7nAgaR7kt1=@x*82QTLDED%k z)tMDa_6|XIt<7IO$o3;k!*XC~=*!$+JUbaJq8B=T_|#y~G#Lg-U+^UCi{|9=y9ec! z`tJmk51U7t*kkdLriWtZ=>e)<1i{`J4hVw$-*7-Z+}jY^+uYxJ`7HIwlV-xCINCox zAzh5bF8cxwRn)WQn6aZ69fTs6pCTiVEJtfOyknK2vc@N7s2BQyFn;n6A}Jn~Gm3PE z`$0CGMOT^U32=nK$!Wh|@m{js@4x ze_%p1+u$bArJ+aC$YX@)+oR9g8-DfZv;5nc06#0y?+$>rrKq(zH?*y?Vs&<~o~9f& zW{NwfQ=MDaeZvt#xEKxoz3CX?07V515LaLD9ALG5V3%eBSLO|QX0VcBWnQp3E!{b- ze(A0(sV6&WP0Mc8pepMW|KPv>0Z>Z=1QY-O00;ookzQF%^&y>kECK*?_Z9#V0001O zVQFquWo>Y5VRU6KYIARH>|OhBw_gEv4<64XF?KRDH+C{O zI0KI?vAeZaONykn$H~qAepRHXCrPm%wiUoxAnQnEvA$w`MY71I{`}AXAY|je5@$+h z_Qv;QW16N>^8MZ(f6|}Xfjyx!8l-*uk9kb{PB_cnC3}N?>!i0o>g`*5E{*)~0n1&| zS>)R(?f*LogYPzWSp!ZOr10)n8Yf;DU^`ZSAODxVpV8EI?G!cm6Cc1Md!A0i7>k|< zRrV&3Fomxe~iOh6-8c}fCGUFwoFB$1sY#ExgZG`$7rNlL!F%^K-lOvAbF z_MmF-747|G$F37XwJ&`_K2hQYNlI-OrIK_?$(Q>uzD*+Ap*^AI7ji%KoGI}V;?mf= zgC@suIAg`%o|3%6hS2*P|KpqJpr%MO`_>J)u(__l(V)St&5v}#oFXLLGf5)+MD$HU zdOea*^a^wu#3z)6$3AuNug%@UYqmDU`_1j`&+XVNkTuBE-ev^(lW30wpeXbHx8a1G z2Dbl@dQJj;Nn=WW_MA9O!f{G2fI414eeB+Zrt?S(>li+=9{~luCvMhARNF22aw57R%cZ!?#`tc z0q5ta&8K_|8piH@o_h+K3D(YOH{(LH9`#{b1K|9-*Xj&tvo&0K*gowW)`3G9^ z>rJDxNuB(Iu9AOXK>op^0CawUb}1 zk`VD%B>zxLe!XdQHmQ?;*j4fm4ah%Sl>8O69VP$Jkojo03%UT|!@jh>;l7-`W;(Bg1uO!kWa@th5g2ih--fVhPrunnv zq3&;VzA4qb!c4hYuUgPo!82`&;MB16OdFs+nFJ__#&vQmlL))NS(+Te*P6VL8LUBx zy1VPyFlc2%B}=8@!C;*{7#Q*3Nm4Qk@}QncxR(`KcXrr~t1)WOhu@C6L9UmX{#{14mZ*(x)?;Rgm2fdR+ zdSu-k?jN5VAC@GQ1?i)F!>dkx8mCxKI4rvRrb+vyj<2ckEMtHj*L~j*#dZaUtW#Es zu6De%8|NF*sLN(1&IA*0aFaP42gvb#Q@ik>&4rt3S)~iJqVE1^Y@Hkqd+vB})Eimw zuN#Xxy`eiivPQ@5;lT}6y09)l8@jMb`{pkEB;i})!e%HIaN%Vl@tR%O2ve&IgBcSV z%i`}ff3-m5f!6X>?(4JbQi`kUA(>=-h}Ew@_Y(V#x);=rovCiJ2iT2N;u<|m#EqKn zs!+N2foWNHRIa;jh~y=z({g!Vu@9xkV<% z#2uu=P0bxD)BUP!of`~QZeX}`(sYB|a_sBGdS%{_#slZ+%zQfou! zCI>1vG0es`-Q>-k#z_vI!AWEa$z8+{^JBXRSJ=csnpx+jgB(a4q|$=UJq}gwacE|$ zrhA+Rt_O8+^Fi(+htJ?5Dy8IZVu<~*-K0?3#8nOrT;)*WDveg^?jp*QSAOW+l2hLg z@5%WG@;aQ^UQm{(C?N!0w@WJL@bsn2`8?>n2i!Ou!i!+ zw}aax>wYNf(5=lIOdPO(mAyspmE=5dJQuVeuk3`n?QUGJV8}&DJLc4^Rn{=Iu~pKr z^jSab=q*b&sr}MAv(Tu6M?c zqmazNWWk-*CMM@O>oEd!@BFRpQ)_qVyq?@L*@a2B`BW^y<6P)!{1_IwjJ?T(#^mB5 za4O!YE7xRCi&QC-GBhFceC>kr$5UkTjl3Xg4AkBxlt;kp~XonEl%3?lGo8P;zZ7f zleID8#E20m9c09bDI-og%ZQV9M$}Q}9(M8mj89bLxo2&eCQ~%hq^wbt*X_UVw^E1~ zX=_8nCoVw03A?Y@h238prLYMDPGv2&(c)=I#dJ4fRaN~?(F#Gd@u~r|;dbvM8srIG zf)|9yoU>UToCu)2FB!7@0L&;XkI-R1e~H?p--`FWE=wOUfzl*;Is(tgsw8n$busH7){ z;)H><5LDz^}9t5gL4KApfXpJ9A`5rrlpSQ5jk}g9kJR^C0L_{ zVJKwid8Rm{V6E?vf@O9}!Rq2M1$q~nx`Hl`YEdEX`(puV6E@a zgJpK=!Rq3%2g~@}gVo)G50=5nhbB}>{55d$*MIe%TI zSMjjH{Oj!9HLoF~eO?=Rh4r&9!3ZYdM%@*c+x)Uk;oB`gq>bY64yLAYvX^yFekYMo z8l>8hm%&HbgZ;sfe+sM@#q`dj_obqNB#>$E0xfSGkjh88Hm;=X%fB;Kt?1H-25#~` zD9pm1KmSFn!tZV8)}GM%O{`__+b%ve^|?R>T?C4yUisTU8RW`0h4QG5_9jk#F8ba} zr^P4J?s!L%%4dL>IQ$8n=$&dyS5)zI{!mf58e*i-k?1(dH=!od{}wr z8-FB)B`Jw<=g>dJyqYOeJ(iFQ|!sFo=)VQC9_?bmEek=jr2gN z1G0IrU|a*tOw{5~vx<)oH}zc-d&%wUXhG67N?H`GsP_a|c{H`zFtIvbCheL@TNrbx z?&IT*qd&-)Qa3@MVeGDf!65RQiM-B4E^2{>fTuLW`rt1Q`_bXz)IFgwEQZL;PVo|{ z)o~XxuQQp88lWlRNiDHP3#@?r(GkyV|K5hVIJ(6+VBN8XNsN$q4HBg+@`8we@!k zE|DH7|Hxb-CC8&pX*?4q;lw=U!Tgu|vI!vJi6Uq5>=;B&V`&^kLgJaR3imSel*=jaln`@S= zV2k-|X2;$ilv#uP0|vdXTNT4>W3l@wg@MpZf)I~-r4Ovg_S(8z;MQ-jFM+*fdD}Jo z^~LKlkedtO?xHO1wXcMM=OuMKyX@hUdYR{*X`2z1o~<$d%OU{_KGUB+79H(wERBdO3; z?AcEG3UEc*p{oe9?erB8io`@$5mtB6R{&Z|U33}m>Oi}UFxysN0ij5LJQ70LV?}~Q z{DkAqOCQc+Sh>ZXy;QP9{MhI`$$o(%V5`k^XZv%iZi|&MOqaX`i@yyg!r)3fMsbKA zKqVzDp=`bOKZ!jFw}!6Dz+laF`PL(uZGlY7i|MLm^ckBMYgNm%XMJ8QRxQ(-I(ji! zwTw~j>BVT(GUj=!7t2-4wCBEFELJVEK-%oZbk#BjnYR~{Rm&`rvwN{!wM=W`@5Nx% zGR9fM7sFM{=<<&*wyKuVWinrERV`zX41F)T9rLf+Hmwd>snfjiLZ9k#1a`Il>h-f_X61=%eag7rzC2r&T zkljJ0>nNpL5O!yjsBe7nmD*{l>c939yaDl&eoaw4L?4&kPIQlnb5bfu!hobxO7bQM zo?MUV?{hDvuHuFw(Ow21YfSu>@RJawt(-Vvv_Ns8(Fc<*%IYw%P%4e*R3n>k`xq5; zsZVp6>XK5=XD^iE*X=2L$rO6h{TF>$$!W^2l7@r}CAT1zU1gL{c8o>nX}*ghA0E;ir7ykaX63q$`Nrn zo(p3Y9REab_7aF)XGJi@=5qh#5v1<(&GkYv*>}@}m zk@Kq%&j1u&{s)tVy(O)@vy)#?h!P=A?Cex+Mi#IcNXSOztB*9{4`Mo|F&Z#}2Re^>)~AXjvd4-EmlyEn z!4wxMjh5QZuXV*gcXr;rzkKsObim~ly1?NxTVU}#0UF6Xo|nKs)AA*iX!e2-m;A>( zr60`W_{XlJM0!PY->+Ur=>^jJCHq{h8T*hZgp;|CmqilWbv-_oi`sa40A0ihlQij* zvnh3Mxl`0JM6u`K&6W`ie}#MSYj3L*%S!IK`~#+YC7Llf*>e@;7GL}{J7?>Cl;Ol4 z--d2tm(NoFfxti$SEdtSSL_6Po=!tp*l^0g=)IL}6Bd?lX@Gx&{kTnlc;r_bOxmwM zAlZLr{~<-c(r(z`?DdO5oR3@8Jh+R&ekcXm*7U<}TW)>}I}7ng575R3HK81Rt|seH-_ z_5!-*Q^3=<5q4+ix8S#cyFOlxI?2Rj0Wx98ppCfPhR1^-M~q)Dw1GWEM`Sv%Qh3EB zbwo(b$FP9jw~zkcgJM>nT;S;M1tJVwm76U(Ia8y!Q+m4()dx_W-wlfvK`%;Rp#U*u zXGdlWtTODAUjmq7Vi9&%_0G<2QLAo?1Xkhi08IHAmow_4V4Ua>m(NzAI!;)DS*Q%V z?zUtDtaE_sW-WcpCQ4A8#X`J3CFMhv2eWG!71`XU+%Sqb?2}JZ8dN)M3^fv9$Zn(G zgl-9YQx~|IkoR{;3P2dy0qv9j4d-ACt_HJ4-i2F^??EWtW`<;@-r2dNfgPmWv;;32 z=4HgpE`ME_B-(6j7<-d>rhRcYbne&mD})O65@v+>;4=0m6DV=<5I979W1vsax&O(G znemwTUT}+J(3Nl;Hq6Vz10HIlJr}gXaq0o0^BwiWXb%*1Zj;oGF+lKM>VfGBXI!7m z^<!$B+TW5EqOtx(3(^ftJ&yji6cZxCo(lycq-w$M*5^n%dMpf*Cvv9`0_V6^})I z_E`oV(F-q-_Ozmx7Y;pVT#E~)MHXhxn?Y?C1xYwxiU=|m4@xXP!z-xA_!7+Xw+uH1 zjkB^LL=>r5Cl5!we@gvV#E(jaEb3%!LnqL$ktZTRX3os;cxh`y9dG=AeZp3fz>G2L z#y)xL%{;{7M|n@<6sy0(VoY6%L10v3q05ocuWJa+6EV(h6d?#~*Fd!qF%5!KH)4&eY+5n&*>CGM<;kvu7pjvIG-8uW3f;bJifYjLr2;!%}$r@(av~cR9RW7B%=38J9MJ z<3+arC7X1V0DvpO9Da5K)X8jyTP^TH1WR_U49;t&HZvrdB9D25cFRWgn4U*{@-DnD z^v8~2Qo)!G+x3J@w%M z-QF!)#B~gBi<2RY9>Bdw0>$_*BNBT|#TqYL;2=?0K;iRV{PqOQq}?hkaIz@^&ZijI z49mk`?d+iBot@fJw4yXyQSZHi|9l@%p38U*ZW$zWZ!p{+o{X&HqrIQP`@jD`dvCkl zHm)R!{=aM8ci_#Q*>>ELZTZ{Tlb&(pq}yvdj*so`-Dlz~FG`|pPGnJ=l;U>xWS-?b z%XzX}RrnxC0^o-vTeiu)SK1XypeO%)f4aFdE`! zH5azkxxn)B5PD(@4qtt^#DcC*t2ntGW|QN`m6fB9r=QL)4o)s`wY~HDxVdK_Q3p)S zFEY2tHX4jcUA54=2%G?BOTj+vvb4yGnP7)^U0CKe+Cb-8cvY(dFQke1LkaIGA z+5-Ftw5D-@JOlUx(-JPnpZ~wlyx;{ds918px~sPlPgOP!NR%@euQP=rZf0%@?%$;1 ztnTZ}VZ3R?-i^rch?^GR!OH0xs%8egbY@L(?l`!1j&bMWEQ3@; zd+QtL=;Xtv*Zg}M_j5f`;n)j)8o=uCUXL)NHamw`M1@2mbpTZ8k8a4OMi(vm9q2Qy zHlo21=#`=82^%D!^)}*q#E_j2z+Pj_)Yne%&0{3k787n|%S@7?vwU#&@wFrK?-^E~?zLv6X3C{rq*rlf^-hx~4i>hHqCSg^5{V>b6>*3- zWs*H!dkMKnTQCvK^$8m0csYVyX)=LmPc28;;Gl(M@=v9cqr9Ya&}(lfa-KeVM#{wC z(g`UOAKN)82pyTQ@hF>2&j?8mNM!#@kVsqd+ce1`IShV3ohdh<=!{4kt6$lfYtanF z1Z^`YQnP=4(JXqMxP8S=>5N^^^r;}&XfndBXmPmuvBD}K_o-7i91l&IU|!+=981Y$ zqO9@cR!Z0NJkF;6R5+tLVpxroiuLan8jCW9Jfv5dw7_38N$}!aGN3 z=LoR!LOLN+^g`Jtj1$!j!Z)waR$*IO$V%a9WKT2V5``vIV(}GEbv+FWO|BgUW@V;f zNoj3nC|%J7Qwr;Oq@XU6db&O<@QZQE?Pt{b*nn4vvv7DDCi$W=T= zv1VifLeb%f^0OTSskr4*4;#ip>WeYuaMe`9RmWC5rLbl=+El_NQV3V=bn#Tdnoes| z1eZt+T(#4sQvhrFZcF`JKIQK;BbjChW%@p|P8UzvtLd~hRd0zDy~%@(1SDHVqwLs* zi9J}M3`Pr(xhS7zVqEt9U5T+-0X^RM#4IsqAj-dMdS01_s*J*xVW`MR=9gKh{AjEh zgz^V7$IL+$#*&vIsK9vUn;EG5n2Kcp${$$%4XTejx@kwX2&2*O04oej3uvLnH}$v{ zVLU}M@Z=Ay$St0aF+z1)SYcR7^~D%VdOKKgOervrKQ>c_oc!U;Co@j@5tuUI+zpBO!nP|MD>LQZZ1# zyzl~1@lsJx#CGvgaA7ofyd(rzts^f55s#ViE1Cd+ZC4kz)~1@KVSAm>DzD zV^@EstWA-NS8?J%3;O1#uC%D=oc~W@XR}zF96((Vj-AfElRyz&9$4BWnA30Jg^$KS zTYq!RLUZl&A)8v&*=h-1o|Tez3mA+fPS$u9xhzVK4vCy|3Qu2kWiQ^SorYOA!R;FWKqDp7z0dns6Pj(BsS|^g()#j^QOcD>jM`(m(V8FWEn_nR}4_Dem4SyP4W| zJy>rmbo0Ubhu+&I`zQ7smsrSq&_w1?mk{Ge4)+>}!FN0F2T4J;;ij&=& zXX?C4Df0?u6)TfXEI&0~Zc4noRCw7dkuqRrMbVs8cX`BpQ7P`qrnZ~M7HyVx?<~1AfrOcxtEY?t{f7pq?CKnspQftTm6|*Ao5ei zQrxas<#)J>a8lTs8hPtDc$OnZlz}1gYu3= zO6gXW$JD9Y>eOv@>b7b?XSD|F6m2(8Hbq-in%Ak=a#Zw}sTGl8^0E#C0(p8@~UUE~T<)bAp7232|Nxv%XCYxHybxN~3rP&KgX*OLd zGn;>eCLPO!-+-UW=b^wc<|>#X4?vftArM1QGXYddsbWfRA>g0GHXp5v8_C=Om6Hw_ z)1^FmauSZ%QytqQeaPV~%!*ryy}KQ&LNv=&x>J<02<; zI{CuCM3ia?+mV?y=*{XatpMcpiZPpgi`F*QTl;LTti>`xG_v|%Q84^VaNpPBPVqz3J0F-mRJLkk88~Q|aB@%?lDpN3sMBj7@YSpzX0ay}; z$TFtYAPdNeZ%QO0OIlfPc2>!HQWkth1LG}B>7Lj76011ppV~sO=~9#&d^|7!E|85x zmQ@!2M^jc3OGip%DB*j?1T3|2k65+_PeU`!jjIgJ^dZuvwmbwR?Y$XR;_{xlyalsC+<)$x3=>cH~K{kIzp{o z<6~@gy?)cZbziS0juJyLfg{;CASXFjR##RGb1?QDIAgYK#P~ZG>V<4BW)aQBG+HxU zl&2BsPGomtZ~l%Z|M>73{zl$`TW9ZgP#92;<7YXaV^dS?v;74WGwkwJ_6O$hM6Zma`b_*XK;by<)wBo z7*L}>2hkXjy3|-&dX4_lnH#_qNLlA3_GI?u_~@+#c_EwPF;9eyN8NY=oCuba;BMc7 z!8c?AhbQOG#RQN$fL|60XQCrhlOv`v+y3Ew-Ok&$NI$iO%U34s7@D5J5Z%;~n;%6J zt?wxZTz0550ohnDj+*UHCm)V}`sM84;^@=K(fRo=?;m8$H_$a99|yGaMl8&5lx#as zqx=~P%zaRy>!YY(K?AcJ%sGQc<2XAwI)8sS_mO0#Bhkve4JOQHHW@;XyI*0jxKwU@ zE2k|!Qeb`W7~D3s^y6EnwZ1;*v6A{FlqrlSp}F(Hy#<|f%2CBJ_Ps6+Xjzoyg^mti zXIh+|6QlGrxq#Q^%ujgqyIEWDHjDO>pj4v&WR2bk9h{_ zKNt`AEzyJGu}$5SLVbab^(51n1&4f4h9DW4t?<{6%wzuExrJt#gA4m|5O&F%Ncchb z9B+s=Z=7ebL9+DBp$QWuUpCn+;;sGr*zH7b56(W4{qi)p^TP8RZ!l=YfBu8bx9l6} zbfbNIB)-Rg!UwbPti~f!h-NB~L;8vHfez=L<@WmzuZ0DlaCm+n!9GsDN}4(&Mud(R zBi?}Q@>blxz&aT=fznOcToXNwX?-&HF#6i-h89E_rg8}Zuec-`!sf(Nc+Yq=bb=7W zS-6WFd0lWH=LikKBRAw;C6sQO*-jhGVUBF`D=VrKgY?4CI(4CQ3Atdzp6kI7i0k9iT|Q`l`uJT`ETh2LDKFY#1C zZywZH(iuJoF)-!CFytv9+YOV*`Hucmh`)qe*f7cXYMt| z9hKEX*(l{IP1>;PN5?c{wZ_zb(%b8;?bg=D_Qo23{Xtsi3SnC9$fKa!9j1IRV_$%q zfRsfjGr&#DJ%~hamskZI3;1O1OY8(nL z?;oIv9}w&h66_CR6})Dle0`{gYA~n``l;1WW+96b41-aKp68~y7^!!3ByLb(`!=8E z8$~rWDXhu4p1__+9q`@VU2?p4BMQ5KrMxzQ!MVL?O?+?0?o&+y)I>VR>fh?9*Jq*h z*_8kU8~|~Kbig0RC-u?7DL8VuWCE&~mPUcad@3>=Cuh5DyGRWbS6JgGr_=Z-?xCwr zTj`a#|w#1@7hQy$zHV$~VAJ&#!NUAIfNP-FoNM-hhQ+`9K5LvWvg8@b*jj+b@XYGCfl3bwJ# znHRyvrFAwLc&{l24qci#8IHz`A4u0Q>=54r5=v^qOAf6c7{8SDyVc!XYtE)=(VbkTI$S_OcZG#tTtsv0c5h(DX7AcbKXwfopHl1o-Kv8-heFb^p$sIW@}QLvk2Y|0+`d5A z7zaAYDM=26VBOuhVNaCjAZQX)VJ*cNvD&Z0wj6^PlNf-8u^`Q{K4VR4Z&x$yNnCIt zc#xt+tP<-kykjO*Nb?hqJKe=>mbEXcG0ngXyxSU(D5m0O0UQlG`rHd)`}z>+tPxX=dJ_%*f- z3o+GHPpu%JpjQKR_}m+F0!l=_XV$;CFk6UfX{JE1;xHMNqW|mgWbNn_%f6R^EJvq! zlTe5%6p#2}6z$PDAFfWejfuZ74oKIy2=f?k09Oe@KlVg~9`Y(@IKhx!B;3jh=;3jP zPQzdv04HF*XVy_KBDO!`pNPq|51ej%?SbR>MSM2~>Jcn43C^+Mzv3Fh$dFayZ0h8? z2;DwFaX#Q$$emr=>Dd)`T|1`|(5p-;tT?mT^&)Mu%_GoYzX4TG`lSi=dq1}DRs6C)PLpr#0agaf?F;v;sF ztC8xx3a9tu8z>#{t5&#%reHvAiL}Ny&WP1%@@OT#wLptce6j`e{2N&))I-+gXwnN_ zryDCYA&T#KP7_B6e9%SdlpTJFKx0{DMnRao_ELf=HJ2I=I@m5p zuuT{*8v`{dS`b=Tdi`1-sF@qI2)*_&(vwE==n>0_!KDM16Cc|-A*zlH=sn5?TN)wh z0g33)1c|gIzfBW7%wh1138vUl(HU{jpkK>!b_!l+C?;r|L6I6A{zbFsb^P!ZyUy0w z^-P}%f{i94+=my3s~;<@0`kN=b;B_R3hGPYg;-ch2Ai|SljkM6p678k^{2ua)e*yL zq)`38TWBoG7~<3=;rRE|EEBbbXPmYwIV|hz<<1nf4qt%hw5w41i#GtQ>q=H$ssg~@ z^H%DsUeYsgCV|wVb?$tgH;Q!W%wRO(;pG67WkaIsJZ|^M3f&UIcAVJiB3F`^UOH-Bz2wf3*g4Xxyo62&6um^YN#aCxgXGQYvsKcTmazGk z56y^66q-DtteJ5sy(iL4W-ET7U`$>x2OH$uQQr|~X#gly& z_mSk>kdZZBRJakN%1s#c4H%XiFl=|?AuSB?)mdWBB%ZpCqkiN#YTI-WygMge+H9oE zkB_#+MKAsonExDjoOtLj#pg)QYjISf( z>&W;zGQN(CuOs7U85uvNSS=p`Uq`;nPQC2N_X0c4__0hzd->egZ%QCrlY{-c}U1IR;tdjMz z3Pw(--P!x|3+LceGaQ0fAns0f=1#NQckxgd%PNA5!^DEz~eiisYpi7mA|BK3bOz%q7~vuT7aJ$Vw_KHq za1qa}#@ZDz81QZE1CMYrOuLVP0#Zv|V!azO0L8|G~5&|n8GqQ?@ z#L6l~QU>Q?tys)x$&k@HgDx*sBz{XgwnL>V;Xu{{hWW&G#o#N%cgf1dLTzO65+OHA zojQYVZqnB}UQCCSa&cp_-UCePd1cTo!4>_&KBtAXsl^Wdk-hc{pV-=oSmw00P!NnP zoF6149#d3|cuE8fiN}8aS^D(T2JW%&n;UE-o+{|ggF0*cnm(EPUNA^WJX7zo9xQn2 zc^Uf%m35lYIR`UIgcJ#C5>I(_KZ?*PF5}}T2PQr-s#>d#BQ~Fj7_EcTBV;K&{AzTM zexT^n$2Rwo+b@<*B&%THQu>_oJxMvf$5W;ojgm9Q9S_`S%^i)_?z{oK@Lo5ZYo-7B z-4?nHcflWmnoX|jsX4Ba8yVUS_iAVE-`EUk-_uU>jm`DV{jJvC?%L16-4BPs4@W;R zAK)L{;SbQt4=|X2-Td(S!E*|2z{F^4UHF@@yqZ6G<0d*j$}72=h!UYIR+$LDNgpEW2%nLm!7J_;56ctzu4R43Xy-ow=7xW zqHkksb*heZy*gEgrp${@)sbF2l~Z*TaV9dkHcgqKBQu7w89Fim%5oo3bslcE&mlvH zUbdQDaP6S#3>_5(`t;l(SAdsZI%?fILkIu-Y%_GEreq0+IFGXXuzl znmUCXglos(=^cX~DZvECp{8s(*Hl{!7xt=js)Zt+R*&gnWgD=VZ;zEsAaC>!0 zILa32Zv73U&%40$d8eke@ZyT30(Ja?h4zg z?+UB$3R4>DmcA=&E6Z|{x>Rca|Mcz(+p6yhlVx(9d~=WRWl5_b%g!oUPs-ZQhaO-W z?_KYGDRd%_{s70`wcEXC2}ukM6z~m@WosXS3O)i3-o&a?JOG*(!LCz_I?MvWPZ7n9 zugM#c}^%pgmv2U5G~s+aQ)> zO4F-YO<|jH7-`2tm4#1qJTO{WIhb5Ko2`ZeJZG!Ht(VbFFd6X7I~^q+cTF50?$MH8GA;Qr9uS0b_g6Xht;5FJY&9kRlld&}LmnyR6RT`^vV zrhBb7Q|Gyxh{sH(!tNWDZ^bjFw!e_RC`CL`#AC9;%wUKGJyay%vO}fmQO09MJhL40 z4RlS2?t%BsV_2BsD31v!jq+zGF!w=)u8)kIIY7*AFy{;&jpOX#==}ZR+((j`jzlZ> zR`?%HhS1~gR~RfVl^eg@b%w@~0%Ll|;I^ryAKyBy_4PTAwVcn51Xg5J8TXr%b?E5u zb*9DXIkCk#R6J%JiH&VWUOCH#fojqfNNBm4J-i#8?6sfk(IFl?5sP?u$ihY3$zX6}YhVYf5!*uXs& zeskUS#8U;mc~EDKU(+XZ-wV3?iD&9f*@L+OK5wHbp|-xsuabY3$!*Xnf@+KZpm^qs zZ`F}6bxL#-P%2U=GeA`jk7~T3$eo+?(vtb>B`mGip0nIOKLyMjurnoPd1W%1+law0 zE76nVkd}i#y#4{2_yNKGAi@41mceT}wQ~AU551f~Z_v-JhB6HSQ>r_dVKPROjzm5- z605sR+x2O}!MpC)ChSc?X}O+&CaDhi?(Qx*-n&tg`#P*mU~q0PS`*)!v9Cmv05y@$ zO-bj~QLq1+)R^p200ItxI72#93*!^1s1TD#Q94P#c}?Xbc2cNu5mb|^lLy-%&YjJS zQx2VUI4sjU%*6K}Uh^dP4lINS9c~CNVCc>bDf#rR{`{HFB7dY5)?J zlDRtcu4z+r2igN3a)QiJ)=5NJs*!2uZv;TA9C~4{6K|f*qd4-m9G)c`<^^|GbvXtL zWE9SlB@Y_Ikwz>La!{Xl8ApKS^*i#J@g1@nBA!f*DwKL6k_Hy7E%gW(kREU#!4Mr? zZXIv<%@2bi&hmysVj4RgK-185oX3&v#>49Rrh@woM@(WIFw89 zEbzY~dM%+r!_*YWTIZsD%Gcn0^K$b>rb*3hwIh_;G2)Z6RVlf%p$cVoH&j90LFVjX zc#Xn)B7E}pMfem;hDZN$1$GBa@$6)ctXR2)`FaXBHxF}~DK;k%jUdl)@|9Mp>K5UbX z6gH<)eI%tpt7VXvRxA$G@d00gai6%~{A-l9P<>_PBRSVPKV~#(C=3j&4XWN(0=Keq zh@MYFrUkZDOs%XqW4GgQeP$etpzfxqyRyRLGk)ZK0npARFiZG?2GEt2H_lJ~H;>DQ zJ4bEC1xD@;VSV-|11LYF@(p0yu!jZNulTmfbkorK)a2hi9jh6z6a6%3Y`1n1cBUs3CiJZfhv zIk_%Ew+~R954aX`XV-RmcEw%S&Zz|SDw7H;&TKY0rKS@r{r>k6^Fc*q@%=GV35Q*P zf%+~PYOpjsO>HSjOj0!jMbqVI-xtrV)b>8&rD2+RtdH6r(#d6pkg}I*H>s%7xs?^c z<+wF~7l_Bk3$mt;aK!-j9o6A1g2vFD06i2|v)!|?vTPp{%_Z0isg3`I3Ldv_a9kK> zJ$&3*bq*x|Pr6@WG@&y_Zv-?Opl<+%FcjHT1EWS=tdKFKp@^A`iA;zYRCc)J5Ryg% zIW;q&klX~b@~ZH80CB1+#n=VVzx*DqC~+1eJucp$hK{j-DFBUnyKgLYMd8bU6kr`Ckgc%tCW!aIaI*+?1o9bEOcmYx=uy2kbO^Tk*ok5mB0Bd=al9>1 zwwM`R(~)mNEo!V{BJY}ws+}%!okoey7Pv;EYENfzT}FwK z6uKs(>R8HMhf%24(_e#O<6Lz*n%tP~igEvy;{6MTM3)JL&W-EOkLS;emi^&o3L7Kaa^*r=zJJM_<4ZNRRX)jz5JQehN7Hn0!P^#KY^oLJGUF=&H{f zFS#)sWzbTmqp9Q2Eu_)MpU;LSFCxyoP<;7p@ma@_*KyfGTkC&dRM=vQ(JU2dE zuN%xD9{h#Hffv`iW*+Zd$9c~)wqbQ{aoz=XH24@)^MV>Y6)d8~Q$clyW6;@o$y}Wu zACumXPr+CRf66%R=MtZ--~QlJcngG2Wv6=EcBy=vb!nkp$5Yqw)O9>{9Zy|!I@R&i zbv$)apgiR`>S@HKs$}K_kJjK^wmFiN%n4a%f1B|EQjFaE2#+bEC%TW5?0CCQc3dYrRvPM-PIkPVWkE?jAmv^1 z^pYKK*U64$ncN#2QGO$$D}4)|m*vNyKky_eeb0#sIQF;Fc^~B!ElXg%Y7# zy{8$bWx&{CWJ=9!CoQ$|Vsf1S*2U!fkFz8wxRfp$oi?LPdczi}Z6nb3BiD%mg&X z_t*$$ispIx(WpkR+ZmbXIr5mOv%(m}y=-a7k7vl4kH(P``Z8l~Xe6 zYJI**5$Bjy`5lIkP(TVzmo?ZnjDjJHA}y58H8+GZ5&3xIMpxYkV{cCXbMERAsvM&9&;4D(>p^T!W7K5FwpM%M;rdL4xK&If;h zJEPd@=V8x^=fQ z?mifX_#yPs=|Uih_2%gG(GY`5+Hee;{xX1?{ z_Ey$=fJyy4b7KFvvU2qC^wZhJ!O6uNx}wUDbVsJCbFVsLD;cp>I8y6bMri3L+tixX ziweM!NXQGs5|5o*%^)yK!b*`P51R9|1GL0r))-3Qel~$y60%`|B;8!<0Iq7zmh%hX zlJv{>y;L9TEW@XePiCS*5&z6Yg~EYevPPkRFY%ZhJ=Le6)917SV6wSq5(p+98y{m& zVb@UgG3vSa7*3(^G1fCrg=qrF#51)rGF4z%9Z^OR+04O=nS>!Tsmm*>9a#xYUT=isOf$W$P91VGPZE7m{_}(9_2?iYN|ru6 zJhDQ=@3Ezye|t{xaNmUiD#DLybgTJDAnO~sO8T3vQ3Gy5hg>Jv}M4^TtBd2^iF;nPFep)eEvP60@V{3Jy&~&{zQK+WO zi%t}pUOd$kg-#a=H)U$j%rMHP2F(B{%Ya1Hc|>MEht!~Y@oJ9Rwu7ougI1L3(=&)% z8D4tnsCDbqp#1Z*O%0lwk|ko;r(vPVwWGkS%rxen8gx2=>J*A8uVcxJ#*#m9_QnE% z%FjGT+;$@o;&J-ijyeL=G2he1eB0&HaD4p6g<)r|Nm(SnBD!u8X0brtjrrrKcW)DMoslVU&o4p1S|~80cwwUoqBs z>XB5B-qpr9PlJN$vCNN%1#Jv-RVRi4eD=M}hp z7CTRF9a~$+*3LM#wzS6ZqGD)sV`ueTWCpRaFDyn@=K+(8+u6jz)-ka2^t+y43~WKS zYwaw;r?9(qVOQ(ov8}~oT5Z1A1^uw6jbVK*v8!ee>{8y>l^uSwq?{%OwY1Q#V@>N= z(>m6)jy27lPIatl9c%iGVoet##&jBSUB{AUl-qd7&nK3&z-C6j9WJtoDYStp5F={Z zj}+XCREPX9{B4YnoH7SRydK~deRYeWJN(FyE$S5rV2cCiPf(-f8AXZpbB)EvD~6sAb$NVBMvQqr>-0w1Mw= z10NSu+*>*ol4He^)XN5LJ_k&SEgc4+ws|1~;a*>d9@?&=#L*f%U2;Nq$RZio$;SA` zhphk*pH5L|wo=+kV0bu!Cd(#ytUg7y&=@yY4_8SN2dQtFYw9 z)u-c3)2jg~+iK!sGsc0VoB6>1!|NTgS^VnHOA(}Y`RdK(tCL{tA(*w+>iXrY#^oy? zIA{c)K0`sAa`0!X1@Ae(f}be}$Nuo^5mb^8qVfH}qfa=+=oQ9n37~$DzU}ooo9_Dd zdULb8-)(Mr`>m$i+1hWq-L2l%?#^C+V||nAcD=#iSJYbtND1+RCN8~}n2{ez^P_Jx zIoWDt{hM@@nyplyvF_!o?~S;pTO0k2z20WG>22+7G`IG;Tg`p9yWi~Yw07L>&Tg;O z*`0Y$$rOAv>;lI?q-VOlmD}yz)}FV$<#n1{yL&s$tsZc>j@NHBH+MJoc6WQ7b$4%j zHr?jy+>GOm+|KUp^mcl!omO*ey}JjU-Rm~@THRiAch7ZqcQ$rf>)y^hI-7^)O?}V5 ze22HV?&QnJX*%nCOk&w=*p`i0cs~KxAIY_IjlV8f{mWNg&mW`oG%n0^1E^@QnS^{y zGJhq-I5Q;)#@)mj*JP+zSwX9T-$gTU)qLImw$=%Myu1uAFNdcCGJ>fa8$VK7==)*B zj%mMo-U#ik+$4z(1+dle$SQ;oHoq%h<+SQi-9UQGnreTI~Kyf z8}|XkJ%@GF7nM}agbr>1!%RIQuP5d$JCMD@kU3{#%eeu}ML2~;kGSBDy<^l)tt#z~ zdBBtKDsTq=S2|LGI^-4%$_%;`1EgU9e@BzS7>(r6KNVyH0S%ol8Gq#}|LOe&n+Asm z7Y9(OGZ~N3g&;APu*cr-u&Wz;yqbw8@S${Ir-y86*h>%t{a2V_lyoif92SRPhzpvq zNMhu)exIG3tCN&fkuclpSVFH4W53}e5MUFOW(HHVOJ4I685Ovynz0rXR;B#8vVwdW zhW!R6HjF6(b(J|_XD3iZ=36wdlEG3lg%T4+aF+&GEYUja_P+TMTf8tt#`3W1$At8Q zk-!SgQ%6h+xK5$d@&#z5+bAxrF_kpqMP9E(CfRftl=$r(&KA9i=ln;@0>n8epK@jEAQ=Wt>g1u4C*45IBMT$tZ}Er zCyM4?lV*UFvg@|CJA2!E&7J)Y(sF+f)bf6>x#RY?`>nm*-d=073N5*+ATUotCPmVu z1e%hfe9q7IKUd~%5O!PZFYce$q6K64~{UyOQMj!y# zCT%9bRielI0yt0$4=01s{X7{_*WK9I>FljHy;ckMJ>AYm(`~sPZh1EPJL|5y)ooRn zyzgP|jyYx$GgiJ*=4oN7qdJJ2a)R{v^78T(dX3|M8xH>KkK(^4;UNBT<3=~}FAuFf z_{SI4lVWp8UGn?=PT%e9cAEXoJ>1`JcAERU+rYj%t-iOuhy0+*l4n>;tOh=@{OG4a z&~XRxLN3^A?1S9 zeX%X@BhWqG|8wFFE&{$vG+>O3)DG=S!?-Y0+m@=v9t2AKfDtBZ@#$}DY;CM>Z!|kQ z`!3A0&TiA~?(a5R{msqZwzs|4UGK}f${ze6ygi^3H~BH%%_mgcbcdKzsH{ct|2W0o z4cwj=Pd-<`Pt3rPJH8<>YpM{5*3#lbazCO3e%DdxyK)K@+tNwRqnXu5i{qMZTfR09 z{p)M2ck2#;nrq=?`0wt>7pLcMH`ZG_&DMHzow2q~&|@O;PbQ`u;u1t$`0pF~^=Hh{ zz7r=&6lIuC7seS#g<09})EFL-eDuaQ0i*Egr}GPXuh_-u!(W^O?sI|Lgi(N#%O|I+ z+n|S=0VzU2J0HUSm|G8U``>kACwgZ6#$6uS6@;EGHczxeA)`gC8{Xl@h}~l)ch&q9 zeHCUtGv$S@RugKH{x(-^+ z>F?xa8gKA}hn%`WTlA~w4LYRI{X+go{e^N2ev6+Vyp&%ky_BCMzU1%M&gU!>b_^@(ifz2;%B`#RaZ&+f9Yw`&466{>I_Q7Og$&gjG~jpMI(A7lo*u4iuk1@23AfVEwwL>4^6lj^lG783*{#yln<|U*X9xO zuHA(b=5*IVEzYMF=Vbk>1^SZ}=+wArx#PFgl6wSk&bwG#n*S0GijPR)M70)BYXP+u zAXm`~&;o!T)JnkgN&p`8)jGhF)d5&@Cdo%1Q%mjWz0T*K4^hpj4CVPix~%9HCYSrdJ4ZQ7VUUz9ebY8Tb@|_WAj(vZHiFPm6bSXY2jlb*}sxVjL61_$h{I_in@r%M96H! z8js^6wM}l6Xwn)PsWv_DFv;XNiv>+KbP<#IQr-r|11m*DUd|edU718zyh&i((!nH84ILd1W9`h**&z7j;bZeAW4cjo$f~ z(E$PRyHu{d2o?LzeUj8P%Mc|UA|Fo$z~@jegs+%hH?hQ00;`T*WrIVdsbs8U9lcsd zufCY*RW)$Y+vu#fI<4mJ{$9ViwXwP1boaKloBfu%?r!exwcP#v3e=Xmno7j&Tq4F+ zK}?T}`})Ew>Jse$D&-Rd6W|PyWmLNq#b!;1z3r`DXJ^N2_IA9j=9cSiHanfx4lKRy zey`gDT5N7rpaWBkId@b7J%zrklBZ=Lj~XsoC^ED{9sUj11KoAko&4Bi>ecg<{ z1-|LC4fLhL@L|h9V3r65UX6I`GcAfnBYani0?Or3v z+ov~Ri`kw=Lm|;JW%E@m;Rz91B}zG|3ze{XCq>{)B9-H-hxv7Ve6q*6e%el@| zdA!|lRw(ddq{k9v4`6R$||GOb|q_f(cIE>ZOJ`WIRHzXDjTcopqiN_yuk zCs;vz?t6X@8|qsQp&=JMU2^{~0}m#KZ1An~FCos0)kK|AT!oJzJ|V&LDmU_y{6T1( zg3HL$D)~dlP6W^LBRu4~9gXjo<91SINT220`HdHK-I0ezU{Yr3tbAn&^V})@MBXQA zeAkbM?{?zx+^d5T_o>LPAFvEP4dv+F^kkvMm#|29#Df}@fXRzrB(M{2{LT*|98x8a z^2Qhm@t1H=08)IgiRaR>O^uGF@k8>)jmz}TB}051fh1SKr5e|4Bn4PCB{vplcPbqZ2GYu7xAuKXSAb$@1V-4QjD z_w7(ZoWy;(+M9KlvPYyy_bh!IbNQZS?*poOvyXyl?fpENWCy-jTWf!+6Ztz{%5%zX z;pxkH_A!e@oJfK?oxY?;{EMC)*M9e4G>XKeI3ib{H~7yZ-$ax+E8;3a+<6iXT;Ghl z{HM@Bm8*l;zt83ZAz}}6@nd;B?Oph+D0h5iEsM3sYC(_HGXA3VRYbMh<;!%td>r@5 zmv|MC(P1#92^aJmWcLuw!Q-)(D0$(A^&LWW5JN3Zbr4>G^lUwsU@ok!qb+l zk0T*p=B+(57Lnr0o;k?Kxd+#8r8-V-5Hgfm@rQU;arPqF@`uTgj_)zFab=}yL_L>n z6u_wusqc$+W)M{`iNWYPJ7BPrk+rm_dg;V*iXA(4@f|-n)PlulC zXMuwYsrpn%wed(vh}+qa?!!;#=ST0))Tr*9ck>sQ$+5v8fzcILJkoh z0A}djIk2c-7YNEvg|~AlgWp+*H_}(MO^xy>Vd9Ueb~fTFB4%w>U8HpG`Z&S*vf);Vf;V4Ax44{1u*fm2VXqI zGfI^tEyaBTY`)+`&xC%9afgI38OI$ZqP|DLXfnV(pu^Pi!F~BS@7DS}gXCJB?$#y- ziFUU3F#q8GR@2?}`pxa${^rI`x9{!jGXRBJk$pb|jSZHQU~cp=jx{p!KBoS$apnh? z#*v1Zts~07u?yN#Ri}%p<12s@1UXc*8(Aj)>c0i5}~yT3ALA4b}b@3NbCN z*UlvPvPk$%W#B5YlVL5bc}~|y4~Z*G?B|}z7El&@q-QhE##ozWa@#_4ddl6NWopkP zV#{VXihe@RynXBb9*=Hg{a;h|ggGpB;~@c!I=W)hRXrczAJ`JDVEcEtK6B-cM;TY_ z6mVu#mt0_pZ5NY0!!pPZ0Gz5K#Q|+y*sYD1(?~ENEhGx?gmCbfIaCn{G9a!N~qfu8^f2a>e;?Nj+uoqr@ECA4RjVQp?kfn zj_FV@Q&7r*1hdZsU}r041cMB()|Jf&3URRY4~Y}TM`s{F9+U0kEelqzuc1Ij0_-)k zYAl}X!mtOuD1HsgxJ!RE)bBrqw2Q@+%|;loAZ?hciGuM}Cm&G8(8tgl!B^;iJm5a4 z4QNYhFxEux{#^h5XX`s>Pz4*g2q(riqDdDp9u;jwnhvT!`;yh{`P4~^Se@uJOHShf zpGG$+c-Cjr&h*EZt&Kvmabx}IsOq!j{XXBuU%__&s_Qw}GcM9D&B zB!H}x-kfCGg>FXP6)HKVn(-ww>HZ|;%IBqjcpaw=D7X&7d-8foR#=rbWxa%nYx|OK zKX);sqHG}q%rC<(r@yQCQ6rv90@drsk4m?X?N5c6m`hWXn0@vQ?a zD7Ny+6H@8rDaJq|Py8^;xm2weBItCZei&JoFBDqkg~HS4|2rw8RinJ!Yhxyio-M5B z!0yA*A6I?P>qQUB^ku8_WBmy%0BOueFEI*2uM3MNsw^XvsD|zo9{s{SzPk6kS6#p; zP!K6sAZNYzoat^ypRS#x+oq_r2_58`L4bb+w z70|{uQRg_gvjExH<_Cu8&yb{OYU>@-_w&*Rz#=)Dkv1Z6+EB}6qEpnCm6GzdORc^p zsG@w8p*Q$n<-HQZB4&p2HKD=96C|xc<;Gs%b#dQ3hmQ^s5fK&GRh`cA+3A0>x36cX zbK$4=bkcbdy#KvRJ_>VD$0}S1Dabdat_5I&u&AZNro(+i4%UHmi!8olJeMG)F z-t!|5X|O=xQ4iKL0ro@Dq8Nfux5|7H1J{1U;b=ebj%E&+(=^dwIEAh3=-CVYZ%Pq} zCH@hgRRqMxaJj~em?~#< z{lLx$`$2{YiW5IKGVYd@64~lpRoB;K6W@LiDgZDnd0~irD;7C|MI9;OSa0L;Hk>oj zb)}nT{`0FJPNIuoEY8Ae&Qo)qd2=4VS9iOh%s(j0Q5#m*)GRnoEdSZK)XUhj%)pU+ zBvaa=ma(!16I>c(o+WM)j)KSzh?lWI2|bFQydocQE38CGn|*JryC5Tm1K%yR+3jyI zJ-hCBc}WD}bfeL#aEGC^gU2CjOAU3-HI~-c%xMy4mvmYx zHm)d^8LGzWr?w;#%UFby!T23UnRb$isSBIqfs2cPc}(&TjU~h!j4YFhHNPhP&&gC& zYC?tE<^RAIFs|;B{`vBSh$hC8s?4aKY7t(V`)RIW>L06N>6?m2ja~8pDWxXUA;V*a z(v55#Y0Qj?t&}>IcoQgAA)K*wO2*R8SCUYlUu;GtKW@X^; zi*2}~k*zkcX@5Mik4%&i=agDF!SFgCkSJt>6ol6{81UIP9*|AI zKXZwt6th7Ky=%R0ECI0+85oHLsMo33%rz=ZI4#W|mARH%$f~!&^e}!CbT=0e^fZH_K^0*L0 zl8RfUu0USZdYNR9tF}#cpXC^sWH$4|`B18l`fg*%>G=%%FLTD!uV8Otpx~ z%&JQ{tk%n%2B{zAHw-#ye*Kp0lp8r98pQpoF-hr`sZjn7-7x+bb%XS;E4r>FcJ3SW zX z5G(8@|5uR}>j_zbT{!bblX2`lv}j_Yp>?a4k=_+{<_gs^Tk}VA^Ks6QfxT*&e0|=L z<0pfV@2q0+?E$R<8KAYjdv7q{-Z@h>b{yPU+bQMeljDGs=g{+oN91Jv@DrlD&r|Z& zy2<5p(@hX#kr%@79#lJtn`Mf@4Ac{2oRKm_p_7#MB`@hEl;Y=>y>-BrZ3 zk|Mx(X$!>j!qD;{jRUs%EldryLILltl!}-3@JfAd=j*7)RuwWmSBwQub5z|ko2n~G zWGr!R{i@=yjBnbpPSsU@w=EiMYF;ZpKQEoRcMKLge-fihlp!Ayc1jg7k9=hiiIN`$ z4b;+U!mtWvRry4+)|aO-KQUdos7Co5wPbTMzoMF$-0oJdG>1k>|#pmD+F@GL+j*|X#ja)pt<`PW#?iJ zRG22w*7QlOn5)fkxky$Wpy_j4O`l(@T3)LuuD(#9oCH;~V<|vNC9gCq<+zkpsA(M? zmYnj7FQnv~OiZdyZEqU_RFzknFj-~FDFwy+QC^7&p}hJ6KEP zPi^H5pUhcKp(?pa?>`0|mVM9pbVmk+fBgLE=zNA6?F`k{S|MGWE8P^elsYktt_~;> z{M&f;71CF+pr8{%5gIGLe+aD=+GK(-ZgdL0l>tZxGvISz6W0g&{X2tZ^anhUS4gvh zg8SjpqVXRPP>0a;R#aK_M;L^S(@c38vKI~K;^H`dJ01_xM24rPvyIO1SV@fttVC_9 zm_u-Q2((Ias+S^T`~BHPO-2hD5kWRG5(2A`kyW&l5zC~>$m*rZcyjRZeN9Ij9T7uT zLJ|rqQIgfnAte^d(2~_m5%cGZi_`O(m=O%xpAt0-mv;Lq=W&u*Y6d5nh zkAAAjXdxpa$VNs&U==d5igq$$nKT($y)+qrt2c>OD*k5OBO>}L(eSt29U>ITQ1G{S zf5^$ylUBJ#!gkY0m;gA@lKV;JWxOv@UY=y$2(?Lh#RaiiNbq;%on#j3J3jN+8_lKo z%&3LOGKsg`u9bOzad9jU3DCo2CEBZS%`t&qrE)G&?dTcRplAnOt{RYxNDv{H(>S{@t3-jqLe=NZs%ceOl0C@Y!^WDXa zWz1*9PbHEuHlv2{w6I4;Y)>)4Smvhp) zDjWyaS&!e;S&yq2ChDxm#dX)m(^{+QsPjzNnXj$Z={he{LcC7bStyCb)`IV;Yrd1i zcV?OPDxc5PNv|ZFI_Xs|pgQT5+-%oLuSz7na#HfS&UzKpS+BUlvQsN8i=nX0&b(hA z+uDz9k4_CD$+unJdHVRbz)o?%(4NT+vdm~%(k`z9H2rn5)8FAb{XMc%oZc%?s@)}v z?&PM);8|~hO(_G)3D(i6(!gn<%UV+=^tSHuR^!dAX-mH5R#(lf<-y_uc`;k_R`jTO+a4RI;9qnI9V542kR!1Ur!10 zTmCI}7tfd2AOA;BQu>ww@X1A@~YtF!HU9T4o#Fd%pm4)8y9L~zB3 z;Du!SjhVatYbbz_synL9CJ?NS2YxP54s|?m4(mtHq0S)q{p!x^Ty@q6s=OPGT zF~HJ@u1x0KWT7$wKvqhJ6ldBUVH%Yy)No8S;|r$J{Yi?I&rARCI!+r_+1!!D=6A6$}Xxb_M5X;4%IOcmAqbr{?Yi?%eEh-Q(^ z^@HyX5Sbf|mn44nD#cqrX?eAn2l54k*3&zYpZ;uoilf*hUFtyUdCEE6sH=;*Zkd>$ zI*@t_!`Ai_=jBy7HztM#ihO-Y_AT0^ax-D#s?vXpYtf!ckQXs+HH$ha5+{jt(N*9utqQPh~a6|b!bi?>#)D6T&9AF-%3$vQqr3@}6Z^hc=XV?WEV4#y9Acp#*oJ>@VfpnM(~J zR@h7auUV!-7tXxVMCkfYMx;s;f0g*zm}(CxPVFJI&KWW=!~QGudhbXvEV`ew#LWgh zVu056?!Cc)N4`$g*l}=YZKqTWZO$GwFIe^q-;8B-u!IiNM>DZjW!YYEou$+n=}S~i z<{2PcKuf73WG}V*$2vkbC*Y)JJdMR*Jhgpm&h{-ux&9>_70I@j74;PCAR7vAn)o|*_95piM8AakelqV~y5R2i;s=a=6#$KWG z^=RFE;)eglRB~_J=m!7$9JJi5OscNDO`$6!2~(fq=9!!q=M=Y$!&1Iy54+{RKHx3O z=Vy6S_T#bps?2?!#?&IrzP6@bYWa9=O|7k|PlNN+isrl(O~sb-GYrdQ7KKkXgDQN+ zrDvDZ)`}Gd!955p3b4gGAH{NX&Y?Ab z2x9ph_&QczWlZSb);i&jrvuN8JcmU5^#m!59qEf^+|kJC`yr@fsGWZGypiLN9dC$( z>^Y!m(M-o_F^PCxF$msDObbR!%227>UhEg$p#0@8bl{BlLOB92$Iu|q{+sW@w=Q!3 zF;{qTJHtDoYjw9otLI~H6yaEbzv0%^);iz=W?B*>yhBcs*6_DKWWp6;-*|(OsR4Kg z4fOmjZg!*OXjcXFb8mnmSU+dzX5DEgj%)*W9dz9;%?>)(V_oEZa%6=MVQ|Z*^1(OY zQndAx<)A|&7aD3f5d-WF?*S=%pai^2JV>sGpWa_Mho8>RkKUg-hX)r200CspSI1fY z-@ydNG8i}=&k12Yh6oQP>JYh>+j)&RhW!x1Nuk$Q+!$~iSVW@R3HtED9m`&?Cdr9S zdcS+!$=IWci6!K-es|pNS7aCzyKm|RvQ-IN9Sz|O>O~&>?c91%QirA1t>5yIkEe7A%Xhdrhm=Oc#9(skn&-B6~DfCSO zJ_QJ*GVm4}ZO@NJ1NYwf22voHM9zSrh9*fwL+kndzDL)QGc`m-8!@)bpDQcK!C|7j z;r!royaKfI1aOu50_9z|d&B1R#+Gvf4dGgKBEBwG73c)*XpBoLnp|Idcvq#$DqO(M z&u-XrIH8~)9j}j}-C%4z5UINoo?UT*=GO>wIcg|2zoE96v6fA9RER$OCo!425eAM|bV@nRJhJANH zFAK*Jv0>V(v5u;Rr73!-_BX43N((5DKW~)T9jJOfN<)jDFFsvk?zOcTB}^xbr`QN4 zBvUwN0$e3_JhwDgp3Qc;_PkbaV`F!#xv}2cY;N^;`^~*px8LmT_4-@A&VF~@>sFYq zQii4`D!zB(4}3^ldZLrm#92?)M$z#EjW;=k)9?2U?^}C@51Tut8e3b2FR;uFU*egU zfwsG0>cPhLz6svW`j)9yYh!)i)b)+6mJy_EP4jKLwYO#Zw!6E#!@uEjaPbn1Hk}z< z@{M7sbt$$z<`GjD1aDpUcHLgT+w8CRyyn(+uhYD}Q_v{E7Nz;y_W5nwwr$(CZQHhO z+qP}nK7H<;o`{Z#d6F~QV6UnrjSt5)x8$D#iak4zjKn$5|o#M1Jh+k+m>~kTkt~YZnu)f zIf+=SDh><`*42F!lZqi}#yOba`{sZIzo*lTOKTMKGIBt51Ddxo0Z!6!YELo#+GLu| zIs~qo%htBrZ70`^z(NXy0}FcRO+qD&sG_$v$s~&`%%qWU&oH6mS(V=gZ^??u!2IXU z^|#nEPZt)Dbf|DwB{?mT{}>sb;PP`=2aGNky#%eBoRcsw#e13G#GJEzVD!=s7{abbKHu<82i1*i9-|vJ81-uy;b!OxqckqGdk2 z`5Qk;lv>qHGlkdbQW01RNuxhiilLm!PKA4RDNqOQL~BW|YPpmIMDm3UT$GA+LI6r# z6##TGjMeuP1VJX{;r_h|2CB`tyYWo_!q~d+lpp|?VI>gGHf@lYg&(~d{1e*tDDm-rXWjMWT0wBW zss2etYxGLW0La*88wF&|l;JLyugKzX>}MFlrn~GShKuRddnCo#qod(CpFV&XqZl&j zo5l~-7%(RVFjVk*u`LiA<-?!;tV?_QOg}Ox17OK+`4Vc(D((jRg9&N7Y)^YHTyTIr z*e{d^qBg|w=1*goYJvN<(7%*wCr@GQvg!W3|3Z5%t{Ygiyz)P(JOu3T7lS`e=iSTh z4wYi_v_ROX^f0l5gM}H#`Ms~%8C#i!NnhNWRF$ZE81z)=fOy>pH7h%DKqEj2k_p=< zI$&CHBOp1Qa|so(f!{wc&&Wo(Q&KkluTaPdbHm#FD`@`Gg&!+`AS~nUL;a?hC%P*y zOJwjY$5uOVQoSjsMb!Wue!o!$xblaOv5bOjKpnT-T&^u0SNYoB%9G}bfIBeK>yw?y z@sZ+saB1Y&b;_b7G-nYqCG@{Iu1sKma>J`c)P!rYYZ?3aX=o4z+Ke_<p9wdt88{k|Mh6aSnlei>&e1P~EbbgY z4&X-Zd37-ae4%6Nv; zX9s&kI;Xc*R&fNoXaU^RZ3Eg| zC%wc5cSFO++WPKC(6LQKk+JD9`t;TP1W+fgb6*rCmc_Enkmj!0Y*bYAOfi395kNhu ziZ+oOd7%tAFf=9CL&ntR7Ffho?%k7cyY_o>x33Qh4-bd>rd&R0TKa2jmnXJvQ!5vW zzn9#p>gGBDE5oU7-lB=V{;u_i-PmGj&JJP3_G6*RajJn-He+LM8<6f_5Ye3+W^zNk zR^Vj^AhLlh_0`H*aa#^6DpS|JR?C5f2fCkfaUz|6Q z!bV|AT_XsR7M5`ii49Urz!-dZN{&wxR5$)k#_Ek4R3mSscgA!;`>LmU;F`}kq${)CX@YRRR-OrKyJe@!z z%0!c>WGL{g5Oy=aEol!e^QjIkvZ2Odb{zvMO2TRq{r@2}Mf7y*_hUp&jP~x1wAOLU z4o>B`;>k=E+a+&ZY#`Tv2=0H^(*rZZ^9bI<6Z>LHOfvw(?a)%lV1AOY$Z3@c(H zRjtL!iOSoQByr|6K(Z-rV-HZs5Gs9?SE7YVAHNZ*!1)Xdc}jvh+YX>9k{wJ8UVqSL zI9KF!_rHVJ!asBz93BNLRpgW$Dp=6EN=)XvfQI?51v1Q&CnHSF^1JDSPH8HiN3#xB z2uYc$Zcp)BbWfSZf5`g`<|Y2;SsHKw-_}1)LK58|^wI4+^kJ+VtJqIxLB_kmX)mAb z3{YpGo!il8+v(A2W_L04?TYPXCaVNYC+IcRCLbDNrhN~sLhy)Q3I!wWfhcDBHzj7v z`V8Zln#?6HZ59!%3nY}i4M^!=yBg(hWw+S}TmHWoS&}9t^V(Ow|J`T?zRoVYx8Z1i zc2kyuFAp0$n>#F*j+>C|Dl89S$EP!~epM#7z%~#gsv9BnEq_yDn_3CRG(Q*PC_0${ zDyO)a&O?H(fE&EPRkyc<;IjuB(HV7$8(R8sC!{}tx|P2Zv}18ZYAqvVwD^Q1pp;5u ze{7Kxk2>v4m9C;515E+A9;dLwO$~8PG7{jZga%;_T4*YW8E*Zwjh+QBOJ)37n*oh`M!{vyy0Vryp<%e=r7CiWvDadZQ$_7#r`5c^!lUNZo}VU%6sAgFHARlt%Etrq33(|c$})LQL5h{_ ziK;T1M3{4SCi9ppGi+ym48B9(tEtuR2a(y2mIAzO|h`nczDfiRVZ`xW;xTb||=exss_7_F$?(Bz{o1bxoN8;8M&+91-kjDE4~ zCR;ae5sT=kW-m`+rSa{Npr*I!sB@>cXGI+IF0k>~wW+(V_gt)alfT;mL72QREGE>N)%=(tro9 zJRnmp^0LqdfHINI4893vMFoIKF{f{S2Z&PlKw=On?EuLZ6a*98vQGTobTRqj+KM|# z9jUQ@*-0)rYa-k(M(DlA&Z?=ZqByBKDgucBoMsqA?vy;vHeqlwufki_zgUq=#d2t6 zYLX7TEh%i?jAk4mmB*w#e=(fZUwO`!aQ-0tK0K8bJ^it4W>VI&3UPL*byiwdyd0+Q zsD1@#J3;N zEtrXlvJIbx7W3ENzmZtSP9#OeFIZrmeI_}Lz-z&tmNxdN?dSnt#@OAGbL$)?E@e5q zUvjxLk^>|xjK7Mw%#(t#buUk6*|<3#5z&~4h@c+okA?`>p9bm7=xW`}XfklTy*20N z1w;m865@h-Bod7oY(>KY7#fWk6b8TEc6Oe+2nzyIgK<&m&_T-KW0srYVnGYT$4m;t z+~wqEg~wsZ(IiV|?g^58iBL~6jl~?lN)~La8vs7mLxRsr`MArC32>3c=ORrCAm8tr z(!3B~Jin#{_;|GtPxTqu?zp}Zi!hf(tGl(=u1xpV5pamcT3%s&RG`L4jw|>{V>J8~ zsf35ae;%F8Xf#H`Kx<>-e2MJnl`%`?foTck~PC~+NMl<6L9ewOE9-xOiVLe=WET*&4r8^#4+zTmm*ZvwikduRn>x0PC z_n6bUDHKz}@Af5hH7AQ>x)lJcP!?|1xpvxt+462NciMgGj}*&MhBnU5HWa35IIyQ zuLl%uo^CcxshphA=^=hd=@=R?*#~6$jvYR1F%kz)Rc&f;2Yue`;~3I)gLUQ+kbheq z_nywQ`lz?)w=&@$Bc;vf03RjcV3G+%GNIful=+y>PV)2Aju`%v*{6ek=qd`iya#tR z-4`C<*xA*2r~Rv@Ij`)wovZ4xR{ZRLY~>J>lmub>-&UDQ*NmsO3D*pj>EDjkD(A)B zo`bBXYS2MH=jB}{=cPT;pm5exTieZtyQZZwmUAvR=VQ|{r}l}FWcbQCCnQnan&v&X z^OTFj+bq?h?(su9=UH;FB1!iIs4_`+V#YP+xl(wMii{-hs#;AT=OvPgnyY275d&)K zdiv|7q2_1(^?VsW(R=G8r!3A7`Wgis<|bnse=0haj$THX^)6&yNZnR;^2-%8JZYdV{mHIUh$NQ=mwH>m zkC$ZpzLPz}u!6IEz9IVP#%-AA(8@phKvdXzE_V0jrRz4Cl*TQM0;<`^>fFutG-fYC z{Tw*dDd3crn)pZC6(H#{oHW}?X@n$Gf;b8+z|syxg(8tz1Z1~DD@rkRiSc?d>b`_! zfa9n_&gYLX2Hq?I{JcQ_7Xq)zM7@DvJ1 z7!YU8e-6r>1BEC=RIV#H6@9wSfX?aQQITLCd*C2)8S&X~8aTIl*Z%eEf&mUBI{^5r zBnF}u4WTREx|iN@)fWl`QPEknX$>@R>Aru4bRs_nd{*!KjC~0cxL0@EJ*%?jBM%vG z>qQ#~fCfw*b3SQ2D}zQ!1Ylg^EbdUcgIKE2AqYFB%+#w-xsz9{{?YvmUw70D2)YKi zS3*ox-AFP|51HQHO1JUql*ULoi6+?l&3NsI`8_}q5o(pEp9dx)(yy#AqZc-?Q*SQi z6k(3Gq0RTc3y{#U;4X1!R;Sqgl9Z|z<$M;8O`}XC+R-2iQa~uI(s8%EUBOBYl*28m=zpLLO_fo;eoYL9%}&?ZGF16?=0! zmJtj?dXE2Qnov3)Ok>Fe*ZwsYu4H~ti^z+qc#S_?#udEECIDu-?h~wgi$xhK{Nj+> zww@;fGq<_h#e#7^zEY0C0e4$ONQimB;+G;zs-cwAz(i;p2DC>8pF|El98b7`Z zS9{m8eC*PKrH<#-v}7{TRYP?vTg6Y~6c06>alj#FYB5m_P^1w*z29UZxZCvE-^bJk zl!R`tUx@{)kbbBKNYR5wh;sV2Z(!$7VXjqyEsLF2Aacr8Af6TSXe@+kz^JX>yb?3J zM&;CtTb&`ZebmR<4JIm*sRs6^lTqUDW+9J2YBI&8HNe2D! znK`!-)ms<6#~m{?aC}ru9iW93Qn_4R3~nuG6a^yYB^E?+N#`C$KtRg8dDa9 zE0v@UPB98wzGy@N(W#Q|V^tbPjKQ*Ca`fVP7YWh2D%w*>8oPZP+J7DF!hz-Y;=Eii z+h%?jvYY2VR72qSdo#`#7qm~+{0yJIWFA*=`b%=T3jkRDIOEP8xm#VM^L3OZVTKyo z^r}!D+Y+<@aW8QN?B8^HK`xFBn>f`S1;@!DAiStNDOZz1S_U1^6H0+3AI;z=)=p0^y} zCzDRDD=LHnq2-Ixv}kOjwK1&m44eLwK{Hs=_{c>1%?*{?@n1|L6C)p^qK@6czeBwU zWR0azvSfpB(mEKIjoGD?sj0ebsfL-gxn4VvqzWlN+Lrg5Qh|*#|Bh<_UD$vhV^b8% zMiE82QT?<%p<+Rv1>ity{=X*l5TKsA%dkG1Y)25kNB>^sZuduv!E56fb>}mS38FR# z9^cpjwKoOb_F!w}eCuTo8}xh&TK%;&tzUu+t&mOl}IKVU>wsfsszCbnl z0T^%tf;6Ea3EZqdM5G%yvUW*2TtEf%ES=dHtSh--7V#p5DqYw*7K30JyrBb-AO-6> z09!=1F9N4EILIcpoyUrSOB!t~+#a0)2e{Cj!^?1wNG?Jgs+1xfR{f5U3f`anMFOJ= zm|!m-9M84e^ihN_Aq4C-12!LUA2R>U`4TL?;vHP_AM2h5T~OKiKSyw-VnDc`)SS!q z`V|T?bC5jpg*yb$H(^NqDGx5pkDb1IVUj-G#1w_*Uj8Q?J6P9*SZ#P5v|z`gv&4gl zLMC;4Z(Y3oc-vg`K-c((8Qli@Ns!0jF2gwGN18uaEU|=?oX?`=Sa5*C&#&LO>T5Tb zWpI>%^*yDA`ROnRW(cRrCsmK_uMC+P8La6k>KVOGv#=v%aSWKvj0T z6w&f%eTE}-!VZTGenB{{VF5mM`KM(VEa2EIHUXF`pkU?FPoU6`6oa(9?Fh&TESNts z)fw`yXJ3__;V##1!fr}e9PP$LV6!vREE}C_g^pUu^n?6UfU4*aQ^>-dw2rCP)2I%ebO;oqrKrT=m=;s7`FlYR<+?QTZlXsa`tnBWQ`!wWuc)_QXa#bEtWNaz`~kYj zyVwDOFq#iXZsOM%a4R;R1G*z8usTaUzllB>6ltxvm3%3mm-7aC+dr4OUVd%Xa3UFc zFI!3-M@M@~TS^LF!Wa-PDi1{ky0>UbHA5E8vS|7xeOXmk5>vO#S)K}N`_gS?ek)H! z3;jK5MY3B$4T4o1%h6dve6T^g#a37Po%*GDzbGzJ>x9BIynDmXiBuMtL@ak@?55#| zyrwbBSu-y*H3^)ovR0ym{CRQRw2D?l0TF6J{y3cG5#l>Gk%SYG*5G(PgPD`PUn^#u z$fLGnW?)kW-)D*n)HDu$In@b2E<+lP>KmXp8=r#gr6VN>Z&KWhNdi1J;%TFT7FVf$ z@j7zq7$G`~11g)6(}LWmXds>`j6vZ|MAnj<+W!g1Dt}+wrGar=`7uKBH1;&uD{P5* zS>?^5u;MQgu=lHyre`$%C7Bo>iDbU-TTWaTuOU7(4wPmOEk5=jA+YF;ut4mYT(^zH z1|=bd%}FvLNp`UjM@z>+S*ht{Ck7xuE5ce&e_;k?jOt#|-UD8=h@5MuF}E1*zxK?opSWE%>2P%C?!`FU zyMvV;e__Rsz45s^o3?%b9EE4+6upXbN4lsxM8<1&HN0;wH9=ZESx*akROgN$Xd?EUr`w3-+ zyYXm(-h)Q~g+BA^@z2Nh7+}j1a}gS_tmPv(`LVJb^%d6F)ul~ zO)YB{EN!e_S~6`dUAx;h9a^?lMMt-8=|zI*=jeNmUX=3q2aQTZpX`&~$LR1wY%U+1 zdA$eOkLxvE3&lnK>k=`51@>i#yH7bXZapiPHEdm9^LsTfJ-SUzy$xIc4A*XNZ>_J} zIlgwOJaP?~T4!<zh+0)@|K0vP)Z+|62BN-l{t7?cA|)>CQQ=we6&y-OM&V1=8pS z)7CO*owfaYe9QUEYuB@^qpf$z#`ZjUTZ zd9~{*KZw7qEmKQt{_01yZEf4NZRgk2Z_Mh(o#}?2Q9&w>&C#oS#Lr6 zr)T!>+-?hPTa3|#+CgdQWEx3hx8CAWg~K6nPNw#@L+jsR3Uu+nR?^1fgkxE=&TjaI zFE1;rJ$pO@cv|9tEMbL28jf;VGFAsZfZ4Z$eE@#;2!r-_gY&Y0w0^&GMaVoT z6dpPPB!&osP7tC)P(a7PaC~g7d~0kv5`ynbkZ#f($%zu7Iox`&HV-=#9>Bd8LVo6n z0-79OkWA+E`LY>DbTx=tcf~}4hz$4j`f*I9N2`_)HLDk|^~W6;O(5$!nvkRBVD{D( zBt`eFRmZ2AR!nu<_0&8wcAE<6DTu8~TMkpJR1XVSgW5mrHU_R-^?IgSbTRdu4(t;S827 z(F<2w2iEqZp(h>37_i7WCQW0H<9ZARd(N+A?7zcloEap*%~q$Jb8?6|2$e2=Bt^#D z6L5cxqqshsjy2}Gqtu-Zz9tWq2&+#@HExUaxb^eEn33C+1$V z8&2N`>3z7dAg*yBHo<3{pOH-&(q#5|aIdES{Pggd2h5E#kFqVlySKT;OB}{Wzz}Ox z{OUjBZSqRFy3Ln@Jw7a!gFTWeRHZKhXUzi(7<<)!-zOZD_3z^hg_elz6HG+`#2(E% z+SG;NvggWDfUm6>^XWYqpNY&!DGr_%ZJxPxSX^bL6v~nX%gVBr%Ze_2bMw?} zfCk_Fb-BC9-9@Q*9p(9woI`#>mXon?9s{v>w>M(Hq( z&K`#=L@CR!%*L&RD0Tx@1V+tKM#t5NPYvTy^jS%-EE?>b*p1?u1wWpe{tD{D%KA#^ z;rkLN$=F#~d_BFAYhlxiyR6KQ^IdMSRM|vQJ!+Br(VUiHD6|w%(N(s}Z1lAjM>Ign zh($&|=5YR6jiHCyCKk@muLcQQheqy7BP`T<@80y(fL#Effme_;XCZlpPC0fZCs0j+ zlMElZDh_s^_L3K@&gYN}XOp2QaG@k14fhs$G^NLuUDNTlaBEtpU5+>1enT^xvpV(# zIZ4scQY%tj@jp8ibAML;JcPEHqg;5&(WxCz%gf%toiXTN0IqtKCf{5Dnq zS#VzLvztU{g`l;KK2~dY6+f2^dnQBQra-J^dPMtM7Y!+ef^h`{VeSd-RF~ zV?4WJ9jr6;8mW8z$SZVvI@*x!{@h(%N*uD>Sa^4G*%lfV>f|fmheq4S#9jou5*6yf zwmAIwG8nt--gOU)D|p+zh*+fe4OD-5;>7%-&z^K^zeF;)ytxFc7CXS*j(u<1`8>$b z;|-mWFxC4*llxlb`S;H6_sNgNmkTS}zo*pm#zMJtImB1;JVxvYYlb-(Df`xe6obx5 zOzR53vah*@nA;(v{*QAC#$Car`>ZK`mG4uQv`558i#@7sm+l$oo@DiSG?FnEn9EKJ zWMno55m^L7gb-bf_4Jrun&RW6P*}w5q?)>+_%%KH?B$B^SS)jYL1}&$&uO#hxjO5GV$R28>EAQGL6}`yWngsTV zQj4W}2*^c@k6bK#GN5G0>SfVdA*4B}^M%4g9cECvj9%6I!hMsq z{g5bFW{hb~`Q{~Cd?lF{v~r6INwfY9q-+O6Hff-^{P||suM z6#VN^0?DD_HX$NN#lAQyp0-gJWRou98M-c_aq@=xKVZCs1|U{e&|~B<+VBVXufR#d z2{u|hARiIBW8Ib5H8_by2f?KR;Q`t(O`DK{c;v>11WPPDcx1H#Fim0DdICG9YE@8+ zy95HE>-E>ntnw(rtmdM~%_c~rb-EHmsaHM~q;EBHD(v9oX!3op|MM)Oe?7#{Qu zGXNp27lrFjI7}lBm+|Fc*mGcgb+lq`VaMmh5(rqXkuXR@!*Dqm22-yJnLxYy<84d% zbMD+k&J!(-#638P#St`PE)hZ2al_*e0JVU+ipF8KnVF{h2jz3&-V#zeDzU!k9Ft<+ zZ36kds2cPrHpUpd5X=k$7NQb?g&&|3p9wt5!hrc(Fi29 zIR8YH6#i`Yl0z+mWR5@M(O>tEa#!gG2XGS%k=)lxzeWJkLABD@D4w$6(tOfA!%X&< zZ-fHQK1^$gtK`Ds18XceAni6vTQ4$)N6ezMJ$pkEHs}U?vI^FusWGrY#S|9=61}|_ zG?O}->lmU)Mr+{-X6yc27!V%DqF|EscUvH&ol>9J1BTF9yFl9&s4-VvXs$RQ(3b!l zC}xAhz!X4;WCiG3_4d~U{Jn)2Gy^)ClkEPptyi7okQE7mAb^qFQTXwdGTv1E!*HMC z@w6tM(DrGo^!XPM1GOWySAhiQ{pU>65FQmro2G)*!#6_q>zJi&0B#l!h9Lo0!mSbE z$YkRTI(Q*)`Ht4Zu9Av$unu@vvFhE=Xa}@4nu2W7N$m6q79RbuIn2U-7|$fQ9F)T$8mj7yhi7mPj7rv12|&~y|I(yhFrhcsqe;`zJ3uO z?@ee@TBq+KITi;R4rVOSJOuR&vd!6mk@OBGqGu+2en&5?r^znAcU~Kjg?{WR5k@>9 zFMay%yFuo1D9t-uGHU@1&-5rf)dIW_DeZ>7USEXZGWI!g7xOOfM*EJ~Ci9|@YYPYM zCPl5!~3?sB1qRT>*|lMWLcmQLCzdW7MlVj{U2>q*AHiJG2he`nwZVEms=7 zKK7ea=qvY^`zrt*83BlXc#pi|8&#+#0=iLam!YuQf?!#N*`$JtX$2GkiGjvKVdH_a zqnVwq#>8OtOII{L=9+!7BRbint8t)ra36C(J)#^_j4Q>zVc^Sg?t1IRx8c4gQPJ91 zMJB;P{cf^CQH^b+h4HBk-I%E%d|JnE)!XfiyIuU7Fw~}!ndN-?}wny%-3ed9y&{Ksk<+L~d#QVWtC!Ja< z@MzRKkgb$HsWqwWIA7j~!L@*c*^x-`)%r`8Y~XKlw;?)lX% ziOO**vK`&jF~Rdz#k8G!8EL$UTdf|&7pL_HRYzy@!})l(>APea}LI@}z_~FQO!I)audgNGM?2G4xc8vYQbd zwHim2VX~E3@;@JvZtcKBF~^FNQaJkM z?)u@`Y1mTUA00~=4<}08IV%WXIa6hk*5&gK57r32?4QXoO`*r6JiYARKs)0>+i07} zhu>=@0>Y8Qwww{F(;nMX9h|o9z1ru8TGn+`=sERwMq=$X-n#{b@&&!u-s6Lf@#2F% z`X^Kz8EQe7=>_tQeDmlL(YV@wv6IrFiu$2+%+Qlg2Fp zE#cQxQ4p2tNzM)wrZP%q8fP*mNzqB|ii!ayEg)lUO;rr_Q1OFy#RNJ1ot~Z8>u1Rv z6H93GYIiY|^o#Er>8URsBq98hn#*iuFX0^amzn(&iZBl`rXyh)uYjC6MkXXoe?*xg zyenPJ;8LlPO_2f-e8-N1xA`HWQwwwUChXaN zN0Urk3;3eD_@=oG;K@<#mo@#jRQuf%-<~BwL2N*!#TQxLkP{EL4ytL&2yn3Gn5Z;) z`slXJSLU}Wo7B#)!)}*m(dN;#HaBg8pxp*#b^&p&gE)Vly=o@;TD#O5<{bS-`AotU zL(64H3IBU-B(S`Nvn$$46lXv3(%KlMUHi`d+42N`?K8K#UP%1A=n}y5?niK|tJOZ} zW5b$$b)LGTIR1GR0<*Sq+1%Nhl1@qED89I{U7e{lioK1-47)eW$VsGgJ$DoV{Uf7S zw|x%3ZDQ}^<-^*J4Xda=7i&ruG&NvNDOwNV%Q9eXk{hP60s8kP3wOi!%)4S3IneBQ z2!kfNw{qkY2AH|M-9{*Kx@B^9dTm~!=b$+7J?`rwoDd2JZVioAooc476&pA_>X@I7AFViHur z<#ovIwda#GmAO*9_u98whdg>SRc?WMC^7B` zlWVdW^HV!P8P(n0bjxl-Ji!HH`cBa;&7{Cvj8Di~&T41}L`^eGbvn z&z<9k*@V`aji0ooCg{ydpcz(iT|({*DP2ov;j=yR`y9nLpopU%UD-+7X`VTC>@Eg1 zy+N}bW-rA*Oy|u)iyHzxHu%>T_}!6to!DnP`p#TMxffGk#c84aj<@HkW?=2D(DpP= zG`3elj7#UP6ggVi#quN^r+k5r6Tv{9XJobH$0*dcK$8ByjeI>Z!kvz>oaaTs-@LL` zdl_IwemK){PoF#g+Ka`?zxz43f+MW-1eUit{3LZdZvOGCr0|_gBKNI)uQ)7=%gcL& znVM!KY_bcEZq{CMimB!C(d3`+TcpD>=vdHi)_d4xse@_ZRch<~7jv73O*^+vU|y4oPk zmZL-5UV4eb$Hrv}1 zd@?M+=}8=ZhX)WHV7T~s9|VtuRig!ww8GOZ%(F-#d&1px%M>3w(;)3PE_A4XgpvIxpYqPrCjzgRJXnL5*2JI#^ec6t8nv zpPXvhu+(qY)9}sNZz^V_BDSjRI8LupKP_SoYBSky4tnps31h6>qyrs5w@SI|zR$Sr zY0fNfWScf{h9g>k86a_*268hoCm?e|M&`GYk6MUF6Ng7!y zrwI;Yv}%stv-qFvN5gJ8S=g|lH59SU{e0ygF_C zeaJ}daJ<;W??~reYQ!PhtUi1LzIj4FP;R+oJ!Q;F!)c`!X!Vvd+2D~f)n})`9A_Jp z%+h5(BI=b>+Q2Wu^DFdIfqgjH-g5PsY@l>~2g^f3l$#h@lFsB_A+Q!N*N=1cEE7Tp- zu3S|8F|pW-O$c*+|9bFfaFq14c7B)|{L6x_U7SAoOADb(i>_wm=jL^+th&5NcdSKu zMZmYRqDaB4mSkd_k}}l=rBJIf-9R5>F@6>)t!%HI>+F z`3I~;{lC1p(am*13XZ~f%eZ@jRIheo_;mB-7dL!=KYqgD3_REcSw^Tk@<+70-K$vQ za{I6wvIMN>WZ;-LesJYz>1rSDR)AB(rV;aEkAN+se~@eDmn6d$QhzN3U51n}6{^BB z;J;WO9_L;6%Y)B4bNuFborb8El~G>xBfoi7=&JN=6?*@`ge|qC6-Y(4*Hc)DJFU9z zjKEi^w1il)NI^*g_4s&rzar&ydw)GHP5FMdREt8-yr$l|d$(7BE2BIPQSRpQZn)TP zWdPeLu0-|DiPI-aK-RVP&QM5wS##~` z#^u`BR`z5+Hhb$rIeDEa8I$3iu0L$-3plx zfKmzd0u&Ek*l#LW=-%=NG5Ha)q$nA%to&G}Icz7Jf#XDUZU5Oi&XxjnwynoaA{(g~ zER+la9JtIc-2-0>@Mj=*y||Sgc_yo|aXAV!lUN48rUkuSBOaghn$XYfVs&8c=MW0M zBO%+B)6D!n)&xwQ8KI9h8WYFKx!9N{_JoEmaXsLN&_~p=e1jkvCNvvHd=HU)MpIHU zGGf7*gX{$9$yQuiZz4YbGUAq5uL_l=)p1c}Av#);r+hg`l4t)*xCB@EQlQe4za?nK z95jXS-r@@tuoC=u_wR|!o-WPL%-zQdYah=RH^jQmBJ1{9++H7d;g`3J3LtNGPJQ7$ zzgY>eGADltFgGoZz76_-)?1c?zIQqoNJ2{9K4KL()+@61R+@Xb5l;;Po`DLcFafM! z6^u21i1=)N)pM-mUHN|o^{uz~YFlN>(Xtyg1}IPbMM8w@#Z%ZTv=rWkoloJG3$-lY zmJ7a089iUG12?;fA&fI$ed$E$fkj0DM;L6gyl_;aAyn)mL=Yh9Mx-u71geW z8r1^7QFjfP{z{6XMQjE&s?uKl+6_l1jd$az6E-r;v*M_%Y8th-XEGHI@u}iBz6lJ_ zYw*pcrrNc!f|MRnzK4l9(?zhnheNZmNtYj=TXepbsvaW%+2k``A(`oP0J3{hliY6@ zwVrjaJTxxYh5$G2t_3I9lwIdB&!wLV8AHDE=Tf%mZ)g>cDjB5&>ELm7^Gdc(Ge z#VFLfvyviV)S9f~LXqc&RnwOS_KJ&S2FaUre}QC%avf3lq>7sXW`-BS;XG}H#Y=9t zA_^N>1xfBjzh2Cl?UHv{uj3F9iL-O%ST zi;U31r8B}MdT83uY{l0groJd>F`~Ft`O2C<8}M`!oPz2^#f#5k7K^&p1aaQ=QEuXY zME>}Y1#8E{nn%OQd8dh~U!(r%)DSPv#~bgWYRADat_#Pf+7=wtthXAz>K9|QIPCLe zi&NH@k}wr}Mfhco?QB|x>D3vp*(gKczQufiySJJNzs6Ba8GjRJ@gWJhEIdXdq6^71 z94?ZV%;r8Wb2eTqAL!JZQ&=Zn6lKJ@M~$PYZ%kbXQA(xIMs@*2F&6txrs)rKI1hhY za<`?I$TmUX&1XUXB*7a_t~&8X$Dg33GF~ihPi5N6yCL52Qn}SQ+3=C3{3^P?wiT6w zGZ;OSel|WmDrY{Cv7E%-6*5hA&`FIgxevvC%RkVatuTpldrIgTk5;wH&J|%@Q0~(| zW!3!T$fE@FYU65gUE2Aq;WQBQRmOVUK{b` zAR+c*R|RhL_KO8Igtl9!rU&EhAE)@5#nM4gg`uK>!K!e!^ZE%=Kl^-sQe8x=osiwK z-dEDy!vR(x49p#_2%g-$(8w@1GgiQ(-rlGw%z-aT-0l#4Z1)C9k#yvvi~wOC#(0pv z=c8I1<}oJ?CDn+oORSDOmIO~?C3MCN51C#RyOl{I&pq-*k5I`$`u%#A;aqx)r!%R_ zkaDVMHKlEjw3*VXCm|!nw*VTmn2@j{#g9nL?hso*M49DZMCE%tE)qkWSQo4*QY2@s zl~?}YQSp^a*?W3^@@f^0pgVv|R_~5hx*r{3+uftFx7a-z@&s*kGpuwcii1vAjyON% zKzU+LJN*06H~Ra_tHlXC{pTo)3uxz`eDeZ}U;Kz_$RVwj4Hm}Fkb0YeKV#S5L0lZ` zl?6Rz6~Ldk9cb$un)=!sg?9+%&M1b5M6{PJg}@%qkPO~(VYK7y{Sv<>Xc!&;tdT2a zJMANkaa95)W)sTX00IMRJ#X)7^*7V8xAjX_)b*4 zzcg68$jcHbDrKM5LlAC3NH^ptDWdy+L-5riUL?XBkJ!8I6B4w>Rx!$ztDrb$eL3~H zOTwmFm&pQTW)>e(w{1bz(uBo8APK*ZKZj%M;5YH7<3bUt=6y~mQg>(MbsgCS-duBx+y^u%&qIb_VHi(?S4g_ z|6hs^s9=D2E~O1V#u9L^iC2pzo`G?po*XNlL@ra@0{V^EaDi!1m%M?%_BV^JLy#?! z^CR7Z8FB9sFF7wM@IM&@pyGeUU0I=>&EJxm#oM$~Y=J?u4awcZvw{T+3Y+>#<>^`I z#(VKhjOjuX3tjAb+oPGk-*s*f;nCo;=#0?YtKhgTY)9@~`Bq7R(cHD+C}&mIh}<3` zmCIgKnJz!B1S;@4uy%iMb?R#8dZsei9!6iSJq~sLb>p`Yu6|z`By~bEnc31hr0>>V zf1)}G{Ic&z{q1HhoG&?}oy@=dMaXx_Al-#j-^Ig}X;6Om7z3bGwM{j!NGCrWmQeF+ z6=J=>X@obzr-+}DJT|2C)~3d4%E^hTaLQ2aT;Dl2+-lsj%3(P0c1I_Eqb=r3@Nr{H z&2LOVZskX6d2K~6q9w>LyUG*f?`b{H&~+Mg~VK( zc3;}A74 z9nT4OD#4?4;IEQ!0~_Z$B@EzeI&DYoq1MQZe_r-&Cl82lK}d*M=`0{aqCX5z{6{NQ zZz97(R4~*u;8`w&437}T zcKN{`Y-f{j8K=ww2XQQ1rC^F2k&;*py+s?y_;Hi0w$YmM)DhmQN5IXDf;T@U%{54~ z_IezA<$nNiK#srO%N*)1Zmd5vxMdhHV92AvSOFG*t9|apsT3xr(oS3afX*AdKz4%#C-nRTfQ%;>*bkAf<&+Iq)U9;I8fy5aPnw?U+;875`%O@;Y3b{!2l7+TOlPY12 zhm|O02CT}&f|4`gh*T)RxQnf%dyT)LS4s{lXJ&PBOv06jCT*Dzd;GF%Jn34Kmfbcd z?x10|o9(ta8nj1d+jgC?)wCM+q>N7V+8?t}SM3pquX_mbDDrDv8B~+F?!9}tA?d_d zElJR*eQsPr@d0c~KGBZW7gByxJ}ql$>Aleg!a6jAF4q76uu^@T@ye|!*SPYFWdNyCXU)?G19o7a!)-Hqi(QJOk zhBfiG^*IL+?Q+EGrC8I6RYMb3t-@;%S28hkV>K!Pe3t^)c1KpbJ$B7*dt{mI&d4_V z9cN%p8g|pM2X=Shv`PqIkUH;SB^M4Ic};fYL771d4N>|;1$7~1a>J5Z%3FDR{tv|T zCSMZT1?2rkXR|2cP-~8-QJ+t8x71x!$mu|-2sc( z0o!;4s-`{ewVi$$ZyqHN;^&A8Ia*+dl1jkcskI!g!zP8C3^zeu>8jqDtc!HAeezBo zo@!HTQCf+;I}v*XBU^G|-os>fmy%`oBFcm=mgwQ^s6o&`Z3)bx417uP>mrJkmVb5NQQ7WTVd} zXTAB$Q(+tM@7SNyoZJ%UZ(A*a>}@*>_Y-JKm6B8`NtKfHuu4*jqEcx}k5s|Yp(lra zQ{>(NvgV-MP~eYJyUDmG;9-=X+I?S85L2m|1$3!LbFskBu1raX^Uwar`_)um5dTOa zX^-6##y_?-Z#KNJ7#d-CWNMlkZ`~!bqbLeX&KKi%=YLS5(6t1FUD%g_1}zs?$R?*V z2Twlwnxp$KtXHn<=!Zlb6S@1mQa~fkD+P383aGI;4O9WODHT)!dv`i$rCB}-%`&1` zN_)kI^+^=W0Ul$YE+470Y^$!FifMKIB&{y;L~t{g3U~J>r=PZxXl$#NSZO>zpT?u? z_m#?Xhbm9P`M^pidSp6LR4F3VX&g#qn?pA$8%rdeZBjqdy%H0ihE94UMw%;!e=kbb z!#L%1iWYw=CZ=gMk~A%i|E&ClJ-SC)-T>alp1%qhmFyUZF7YDEJ5ZwR>6Fpy3BApy z%yTTt;@{VUECSM2y_s@fO5+3SjBK=Nnqv*0r6`ANb`+1^TJJLkKOF{K+Xx16M&(bBo``t8RT*A9&xu9ZRXm_A#u1+mQ|y-==CA z_a~>_h@AVH*fMv}g7#pb`VhUgm#P%fqKUm&nV+&#Do%L7i8sbt{hHSNTwdW6{izd#p9xr>$3#Sh-xlNyC3Z^(?^DG6`7l~BJoaRf zf`vPW5->HwI0e0&mNs+A*{e^_el%`>Shvi;iga+8*g+?$1Ah@-FuG0${iF`asm*-Q z#kn&*q$#fb3(}z$-e+o|t1B%_fcsqSza-oWy6H{}r8EVQ{j#SF|T;LMrjXF5W zzr<4IMpYh+%7amPFcL;lc`zyuM&+5DVPbvr0HHRTz9r1)TP17 zz?`J&YzNxj9vmf4)4s`zvE&Y3Gm2fCo|C&k1-g0TI^OEK6h9T{<#!nH2IR~7 z!Z^2wGUh~V5uk;gh!6VATkq4oJ@eL9M!>Ve+R?1AyFaXujPQ#qFECI`!!7`^b1-ZJ z%-BQB@9%SIX8z_b&2##oq=`t`-zQ#Gr3NbGym;zgdSk<$&jJ3G2dic;@a2yA)W3m6 zBHlUd;|gK0TOg`&}p^%6T4%N%UqJn1dfPug*41c?(>@5sk=0s)%Eqw zkkGzyXgD_Pv-o@T(YEJUz@EhQoT2pkJWee9d(Zgz`By64GQwjK@Wv0p*w4u_-Rc5e z4;V{hYZGrKoh{MD)xz|u+|f7I)v2>i)aQTtut|LJX3pW%oh*IyKkcq&9=g|q$?D(# zzBxpCk=Gu5lJt3Sq`x7KW_bMC&@b0t4h{R#-)(g}&YqF|;-5jE{6oUo!+rQqIH-DT z!njm_TA*%M$Eu2Fni5)4D2J9RPH1UylyY%hFZ~{KHM7nh>`vY-xja`AhrK~}-0QU4 zrqi6DI2?CPyEAT^eXH9X^xa;w*Kd{(hvISbs4Ns-&?g`W71+aOKIs1Z3Ocw9I{=!U zPwkswC2=<_aRF0EY8mqOf8~g>BiX_EADMpZizv;7(Llc#Wlf2Cej>cs}s3k9M` z5z3=pWNIo(bKKu+m~sFN5~S6$a;PoW!DTFGG#^^>s4z)r(dsQl)E^y6LTVvDQu}xaNDZFecX{9pd?c(O*g~zqi9B1KE?0j4rh_nhMXs&dt4DsFE*cKosTJzT&>H3 zD^HsOxXbEanSDQ(omH+3d)Br1y`Bo$R53nYc{jzH8HxWNk@bo;Wr%0-vkbViRV zy4$s7Vd`b z_c>jFG1yJ69C<#aWEg5o>;q9}gV<+!@l5Qq$kv3S{rzZcn^i%jo-Tgrh;~TPbZKWv z0cWd|MEvq?hz+A*G#m5pWX<#Oz%OFr#`(KrgH0_k{>ftERKC&w{(?WoZ(uaR0#1EQ z7oTF9fW0(sKtAXp)eRX$G{3+@YaVwnm)!YtiS)DuIb&kenoRKvbAx;r+J zks1}lY=&W0i}^I6$wRP=rY=wF4y)2!?wsruQq9A0*2C@UHRBw{x6=9V*Wqcg%Twra zOXCi9d+mlB1(qy3*uk4u_B9x()t}!+KJu4W#y9&Wc+MOU#tHFYrMN=^BN{(uXFn$X;+ws2jN_ND zjNm4i`j^I6&sJPutP)Pv2Ba_RslA%eD>+E=Ztl)Z-o1Hrb_#uBY=WNJko+hA2?!b6 zGm0*0hOk%&I)D{2sMr{-md42ahCVyMtFxkK#a)7}|Byi*OJ_`QaNG%R{9{GrEDU9N z1@Ol{z-C@QSfn(!AF!Ky19hiU!*(13SK!tT;PwU4bW|9G!KS=mvxdVB<@W zFUuS5DX$x+6Vl%|FSx3S@k7NK=}zhD^crIjX6SG=FK~IG3r5tgJ-!N0&*N&@GeO)@ zx(4L!?=$8+1y-9*J)p9&yT2d73ozXK2=W|n0i+Droh`MFvBFTs^MefH zG~3^=86Tm0cV^F^`;-0s&`&va?ZvDfN;q^?0!gm|_%E#J!DKaaZ1g6BSULcaWG;Pk z;>{d$Nuceq(^Y3|#1ub>%x{R*G0^T8`Lu`}xpS}i6zmo3m#`O)#c(7^86e7KEF4Xi z?ji|`dfdZsL$1e=454}a>@77Dp$vkL2uNh9P&dcs!i`B%E+4sUx2Hfx&JDlMh;FG& z2x14<7{H~`!8*MvGz{vj=7CFffpx+<9gRbOv&RnIe%ESEnq#xkALFq@w`e|w-drenBz7c5Px*HQ8yc>G zk6~|m_LBzHbcY?h;J2wivZvvf(#IdX;CIgf=J+Rw-`DK^f#f5SpyE$gj(aqfx=zRr zmClody9GJdN;KdJ&~~64FKOFWXVmZX&F)|X3ug`brahWCX4jr{CRV@a^sO=r#|0^0 zB=+E2WC6oXB)S#KOWDl58lip2p@|G1nnQvRS=vT~tZp@thU55KfWc}cDC*P!-6t|L z20>&BQvgVWyokk6-rKV;m>J}M8_rhOBX_Z@W{xP3IWpq*h=u^tO)B|Nrfg85agkzB z@uJIxJ-<3w2<$$K98>D`TjS=aZQ5NI>B#DtgQhz+?Sb9vSd)g;?siJh(LcH2CKE-c z1W`ydaQMGTtSPs}_$j<}jzWnn5C``|OY*m*wSEm{l)vH`EI$eiEIf?6733fZAe?iq z{PD7Vr6i8Szhi%{xS=<@+coS#bJVaJW`ES~<4JqV?Dv`zv)^*9R;O!?8vT9=Vn3He zj7;y{1bPptJCs~8Nu^2`vP78mO0OtH`aF2X#wV zRd((wksU{gUJDdjvY|?{cJq5Ko~_G(iTuY{Btrj~i_Qh`jv{?`RMCsaCnBv$oyZp@ zTUxK5Xhjv#PYw>yHs9Ibp%c+p+>40=Tx)U?uCOrRTZuTYfuQ!bc`J!9P?pEx!E~R7 zR`*GZ9sKf3_^#sqzK&7Qe}g=N-1pUUzZus)p2?iiE9bm;9_soo3yb(G@c-`AXJLUr z?u^^6*=>N(Yj?*jv)^|ev)7(DAo$uXdps^7`NRP{Ra$%1RY@^uTX`|dT!rpmmwwUT#BS)N!w^7ODkQEEbXd_lVQ;V z&U)#MB8Z+dfv!H%{Q*zq{UCc4#r`KO{6zDTJ`s76T8$(@_u_tc@HsNs5G0 zPg_ysbzo&$_cOzM`l)WouNT2@MD=uAuG?>POt5EKsK>eHU<@W|dtkSFBe(51<*v;l zxdnGhW1)`4&p7kFC#u#QV>HHfh#XBg<{V3k5LS@CSfb8Czl!tw={AUPJ|!9;n_-5m z<=z%8VDZ9-{o`Bj`Mu_PTx4k`!)hz%*{H;=M+G+jrxTu5uEE=R6h6 zo4qBLm_mWPkeoahHF2W)dK3t;+dPt9E`L^R&`dU=yhciI_t5?n=iW1$(u9UMV?;oz z2Kf8cOgQ2WweEuG1THXjO}@E8WHXtvLqTrHuQosxEpi^Ljg|?w1=vQniCn86rdtyBq5AF8u8Ya9~@x55E|-%lp_^A z>>l_A7`P*t1I<%3W@ykS5;?DyPTyQ&M@z%kU&6e`Xy&6PMUrH$-qeh+V=1Ll&XlAl zM2U;EX1w*6FX+wk>_hagGn4}X$^|^{4da?)h5%3s{WAfbzp_O|`QQmR)|zsHqEWgy zL(9{Zz_?3+aWr)oxRMd>XI%d2qs;T4J`1K7lP0ZCogkdR^;gsVKDRk!C`0EBZc6@S zm!%+c4mFh@Mrt9Y*=%qj%X3mAz-4J7Pv_-q35tY^vmz(6hiLKb@~?Ygvx9?Fff$`8 zZ(n~mLI(eBqBUHd#%l zT>G$Xk!c2#7tQ_8?G{1X^Dq1?C0Cl@^?) zOhDpB;Jw@hQ_Q%1xc9-lG5M|bX{|SQ(w=mIfl{k6$D1x?pQeF6to8dydB_JkXs+ME zX&8yZ%&)|*+IhQ@-@wuIm(;~-_GRXOnQCY0JBOZ;2m^T<^W5@VU?I449=s)fek}r|c)%cs=va_7r}uzOjv&x>R6|79qS-eq0)ea zo+buCn2!fPLd_FK8)Eja_S`d>^ZT&bum)zs!v6;n#gr0)xRLKr_xBIx8$iQ}oXa?x z&jUWiQ{uNF(bT&~*X!uXi4X#+#;hUn$4Dby(p0^0m_II9^4@J|3Eq+!@neh95|Z$Xm5GssMNLZc#|8E?}cZS@OUD7-wcnjj%{*il-{sR z50V%*J%+`UCgYl2gv*bBN!`;_I{`jswc6gWQoRDv!!RvxjhA;L&YFfDBh6`|2?^~K--IA;@)9T_tXvJ zOU$l#kLS*|V}HfrpgX~M1=Dwuwy2G$PT{OKxzQF=3_j;zjSG6l&_T@LxlNfV!n4)F zi$byukIqhY8Hdt&_5`Z%f-`@*w}K!xw@Mozx);Q$nYY8WUr8-S8}vLhp^j6P zI&u-mSr&0n&vT3}I?0vwLM%Zuv@c;jFC}Xnoel{ypE>yBG^(v`Cyyn8rmx9GmpD*a zv`QqP9~W`$4^yU|(4E`~A!;VL(Lp6$WZcQR#+WNsY)SthS`!&5Px6gr`O3)#uTd+N zvkk(GiKRWF*hbBjJI46o(C(;hkH#IdWpzhpd)(`o{lTbbcE%H{)pokhXhgw{UHJtQ zq0=dv@;vme)>LKvoH+j3#Zs%0)GAUUhCK~0Lt=yNTiveJ8MMt-XJDD_2_8Z2_8fE6 z9oTNCV~-}?-i8KCul?1GRVo0naKTys^eo66e!DxiyN%Y!1i9ES0rQSI=)>?W$LjP( zO}p1^*&7;uc*lTd3Tk1>kSEQt+nhKf(`vMBv)%4Z%u%~JGP{mt4O*7n7)&M`8Zy-d zHN%w)Qij@S_4>`xpkcbbb{h}ow9P?h+%j#e(dmvSZm&NXY-p(bW@pV{qebd)i(mDv zk0Hda{DvJ+-1;4nDum@Rjj0=sC^;>k-V0p#j_7=63}BP{>XtfVa2FWUql+J6Xy?I} zMX_Z)%w@`{_eK365uIE8?D`wpSEgRD6x^ZgE1j{`aXR>%rPb)0?M|z24qAnrZk-1)IuTk;=&&CaM{t-p|QpaeQqTtEmh16!|Th9$0|kl!m!E zF4|7RaxuWEJQuB<%yePBpPlP87~3wki!IetT+WqQI#rZGH@^kRk`kLqof5R4pF;8Z} ziGOW-v+$_a$=maPpny=$kkJu*2xue?f$+DqYhrZqM`bwB7uK0S^~N`}zWS9WH_G4N zx=WNk(9PR(kTf820+;-OX%BKmJhvtf;?2?Vk>h}%3*=hoi}AbjKPack-%ox&J_Gi- zbQg0Vjb+W?eZ6-tNmc$gkt&NDK5br1|6+xFLGZm5lfI#35HS$mx5;kB0KRNs^hhi| zxivqs{79NJ{~NRcQ)O;gPMix$NcL z5;%t4G5XxQ{1d4(Gl9WZ(Sz)70SW+S97F7G*a$zzNQ)QTBJ+oaxsLl^|)=VU^^ zyR$+vw%uy|8XnO@Ot%^ynzq)#8@!MYNI|e2$H&?2dz%C(++`>Hpw`SxOU`P6}P> z7w#qMj+0lw(@x3dPf_QDbZJj`-w;6zk>HUhMELDL3m4bZz)^tIR)_R)2Zm#?@$7sS zHRM5l+ctA* ziwvRAdz4;9t{)QQ^GsAYi;4M2rC>WR9nu6o#12s6LZWb;2?RN)vB?9&Isz)wA-$A@ z9(~Mn#tr@^r|2cDgjm40rQ#@<%7?K0v4;}P5b8)xZJjbVEu@I?_c?k7Pd@dPy2&(> zPRZQe4#Rl^Hv#4=7Suq-_V^-r7m^b)HPnnKuLXM9k4IZP5Kph8@nycOTNmlz?Bzk-#d`7 z{p%#JF5nIO3@P;4nu(S@&uw zAN!uEvF&kGUIsvd7CNh)|pOuMOnV9LlR3>I+ zVisJf9C{Rd(4<`jYI+q^qdU=SjW?f`2$hOUjxd8_xmx^d<$Hn4rl~X#Y#O$ZCZ}t` zWk=Y6iws?Di9f>zoGo6xg{X=!Hnp?Bukd@F^rQYi0Tp-hqgMRZHrtkNpE zK@Kyjw8}zSQl(WE>!s2vE3LBNN<9*-GDKO}gx}DhsV<#aR~k{(PpgGqDplzNEDx_H zrtYJaf>oIGeg51=;zR%eLDG@@l*Q4Mjszu-@VT%X z#%dAyOM7%yRC2z-E*eUeED_CYv#@u0fVGW^aKb{2jNMjuG;WQX=BVFs&33OpHV57Q z$m~t*NpCQ2TI2Sh1R3j9Fdaop%GuMQ&F zTda1cEvd1hkB(Tu$1J0EH`L}q#cnaG1;?0~xZ-(ztlh3=k zJ&I*HF2{7E$EcNQQ8?su^q=th%DQ$Se=8}P(WM8l^qPnK~nB>IP~lR%C$f4 ze3*GaBa|{|<}^9|%)NZ^#oPNe;x^DN%BDqOZfhvoO_aFEJzGEYWkl%Q?xAyKC#?#5 z0(u9>O$LtQFE&s~`JkPudKm9X{hkFryd40~{Yy6l;7`cg;derdnM82E%3B0H$)w<|G|6U53sT3SOk6+4}X1iuzNY4xax!Zv& z;Zt5gMxw;%BRzF$sTG;UN2<2dtD>z(>b27Aq2WgAHKlr%ad04<@Hl?Mn?xErz8lPT zmUyky_{y+nH|PjN2O)WRj|nS|6mfVWL`&uc4)!-&uCEre`yD>+P%2<=nk#oJM8g{& zckt+~fflP$j~~fZI*Bj4UZU0F!>Gx~(nWkCgW(mRHTI&pY9V?@1CVz_OcEU_N9Idz zT_`1=MR(tVDg>U@lCNFR)qOlUGV2^#Nl~@$DZwB)Geh=)t{e1ENyt&0v+JcX$jJq{ zvpiJW{lPI`B`M|Zrb<$}pBr3odr_hH^w4v?cX~SeidhYpc>5QqtS2CYJp`)nof{Zy zUmt_M>N9eM%%@z({Azc8eGEtJG#fR_Wij$aGBvFy`VNo$<*M1NZOaqWGj&Ul|}zqn^|+C_j_#F1=?jd&b(J=ueZ(SenAJwFZS5N-uB$lT^7q_ z@unmnZ{iV#pEEIdbN6sZD7WYy&XkeUvotxjegg4R*pVZTER@)kD+f*Gph@p#s~t2C z@8lga;(Z^17BgsnT34%{9H3N^`9=*McjRt+~SAm?rh& zhM^QsivHcD+FR7&0kz(-$H$xW;BD!K5ARma+`6{Jtz1HZ-V!I~rc}5m@1uMqw_8;T z-lyu4tKv#arQ{XsrBd=LC9mL0Wh;3J?#W=CljeyhwrlaaA-3W-BxtIWMKny~t#8Ed zttxQEm3%X6!aY~_u6X9zSnuar8#yVE;4=;~rs3t7?B`lS;-Rc2Kk)T7vKlR}wgCmx z;HP;Em)Zw*n3ws@TV6#UvE>zQL#t_ zRV5Z5u~;NHEiD#FYbKw5cEMOgDhRwiQMtg`t`ZH8STt}1m6i^#>}xRJD)CTQJcNjQ z?DC=F`^UuhQ8X6kdu&;8dv0!L=z0u19yvP0c}vj(Dmm~}Y>HVjpb`KD z1;Eqh{*a9-0r1ELK!}iJ89?e(uD}99AjH^{mjaY)Dmm~ZNF7ZC(k6{DMKj+Y^-xj1Vi)@Q6i2q(uqYK-*V-k>Y00&zxEwC!WVHB4aPq zR5wWJZv@}eCXsqYRJko;qnAa+H-SfeTU1f;9z2C>1FCzW;^&^LD+8)41MY>A$JLbq zv6WJ;46quFga-hGrp2ZA{hUn~z16hfVoH`CcJjIO2z;h3-u;>M&FG`B5nXRiBNb|t z!QdWWp;TJb_}`!u*h`mw1tsbn2yGR_RfDij+AB2b<)0DIsAj>p=r|NWQ3!lE{4P({ zl;BTNO+p<+;Er%cel6s|^oa-$hNHh9E|mJaBR*7m;GC%PiMYGr|NDRc&;K>{_xG7b zNZz#h=8lZHeMw$~n7H_!s6(H$!8b)0?iip<@okCelq#<-;e7ytoyKo&uzG3eO}rIE zqMrN+?kYnd;soE=zHiBtjPVP+@q*Y>mj+wr01!NPXAU5kzACi8&k4b#HBDY~f1kY1 zK`Xq7S1?cLQbE0`f9Z`4dp-|9qIvi#>;fMrnos?k@b(SYc*7aZIETS{Gj|FW(sYH( zRR8nAXz>>+FwUkfK07-my{!Nexw%8?V}dU=k->d&-MQf{4UkZPAqSt^pkfW^X%(=R zQ4APt*dV`xtC4RnoVx7h5>K;xM9tJuSvxPq{~{#2x(a&0o!o$b0paNaCSaN<7-Eae z=eP>MTA^4#IfkT0Cu_hWsK$X*}F~VoHrY?U^3jwnxk{rUX6eb`?1$9cwiD%rnrVn`;Q|}87@B-SA%?Bje zazNO~2cZAqaADF)XKVrh5Q;$K{t|NOZ!a&5<9Bago&IK=zCAzv?e`1gFaakKX3L0=Wyv#j3-b$URkuf!h_p-v`~^jytv=p@oMQx5+bJn;E$EzC5I@+W=;g@ zV;d%R<-)`WQi%e0jr#O=U)m;!W=(FDuJ z3Obk?H!!Gltg#Lx`6T_izmF0e5bzwDk=L>Vrqcy;ckE37DW14S$+)&}fC84rmHkx= z2E`0oPRIfwvw1TiI%+7$pfQS6+xhARltW>LRLtSXUla5n0s0wAaiu4#1yZKMnTnKK z&4IF~dU4c>ilaf=Mg|(N*hM3%u-I++u0;&JPtSV2erwzuwN1P0cFneB^~^!j9h>&R z?scq5!)kXsbjQupix|2rQckJ)7e2YE$Q!Ci(#hd2?FH}Mf2}-XHb$ILq;aU~soHlC z?-QX$eMPd?`HGurKZ+=y;x;(+oe49N#v$;tq!Lrm&Wgf&gN^&$HX4eJ+gem3#!V(g zBj!by3wwTbun5&%LK$o=+qTsi^*epDI~d_w4*I4&nmA_Ho^&QwzvuL=R++VAN&?3` z**q*|O`}`OnoF7*D~m33%~;68iW+p$s%Xva?)-?7=IxFM8wf*;b}E}-u$Fk&9PEMU z&j+i2I9pwh+{LaMb5KU3r@^ftoSLjeN9kzNYq%Y!;hIf%GBMkuv2708{ed}X*rRT{ z)$8~By%Ka3H3u1Wv=gX9gEg}CqgW>XATGxuNNO<@sow_)->rT^L93h8qTNm?X}6jQ zCE?P=p!J$bBWQL8N$|Rjc2X;=*%%}Zy$KQ_38d()L5xcq{dvbEa41tKCz!NeWubs8 zZm=aMaKjC64(d%1^9z(E=E$}gZgpsi!oOpGeiPk8OL~#;ig5>I)6J03A&3IUhK(M7 zkG^C491C1z=$bL7K3g8vIdz7Y&x0jC#kgmD{LJnsU(IkY^n%Ii-~YY=xX1;xMCz|b zzi^FYNEM|a*Sv?vuj2wV^_gYO&=iSByI?(VjgLCTk~Lx3HO-)LLuR`@))@x)p++b2>De9!gn#JOQ!GgWtV3cH zzN`}#2nWWj*;*lwTuNNfB{9KQo;!6y_e>n|1PrY!Iui9G(`E|Uy~P_#LWls+ltJz=exo0xz zdDv`NUDIlq4XPcEe22=-AC$fgA~&e5J!A_v1f2suKBsaV_f?V+OuNs0CQ~i%P$7=b)m0nY_F&l zI72_yc)D^xic${&HxRjlff(6dU`XAg<_T?AFvf-O`HX!K$7q5-yG@K6B|Zd_#CGzV zAXdg>A_ZWGZIrr9U#!{-%tR7w!^L(^bCn5oeS3O=WVAe}HeM_o8rlmZAOAN&wlMoB~ zWc3XfVGXr04X&vTsC#JL{hn=6#LL8sPM#ZaO5B`Y@PPZbDl=~j$Cq>pNqV47Cl8zV z7u)J5#I~$^4{nunI;IC{Wle_VeIoyKA@1QMWrV`<;eukH`JK z)oPdUNc`?jsgEW!S$|u3jw?GTETrX}9tyo*2L&`pO`E{~$WTLnegI-4Q}K@rZ7R9UF)L z+t|swPl-p~gyWd#Q+DV!4oU8u$1M-Z!(~%1SnhhD_gM{~nxpA7{=LzVlsTr$VMQ`C zEKefZrB7AjU8pUQr1Cik2jopAyJCD}mVt+T)rjs4sy5QvUO9>W1jyd%jGAMsZ<)Q; zpl7yQW6K;g8n)T&yH>AbyM4PmDM9vy+~G-{S2-$B&ShT8IURbS}sP*6zx7{BNXq;ZI#s8c9sWl8HZF1-PQLF|q^s{{4D717rB>CHanilII5p z-@bjTe{0qK#pMBd_Ya_0s{9?jQVG?q!C-JeDv$;s#BB4*a~yX@8c>`1)3d+)`SLG+ zMpuzs4*BxN>el;BqhIg$yW@t@t^+G|>b(wr>h#)Xuij{MjX}L_ zS$4hM>)}6q7SuB9oo35u9QW&uR@bn4^-i~AH0xI1uv+yV{f$8VqgA(B9cbLK@E>Vh zZ#PWa^?KW(PX!;Qt2AddsltgMJUn`cSJeAVV17KMDm#fKdKT zXM2EiRcE|fOm}~2G@9*pv(>XeBn%qOUaQmHQ*dAnaK?iH!9i=#1SGUtEu&W-w0mZ^ z-tM;uLSP;(Yk>b46524$#@MuA^k%)+YSOx98>Zi4zms-=1yIjy{1yMv@wcoNK_fu} zK@&{1*#Q*RTb&+ao&E->Xu@y(KBB4FYt!EmrSSg@p%$)DUxNxZ$3eXbgN9l4`Z$Lc z{$p6|HjT!#-iJ|H^X}z+wl{jUd2`s1KAOnDyoWhe(Q9snXhn=C6BXnFe)D z|0WLLH8ck5?bofg6`zDjWToU?Lv=t%!*001a+?I{9t_2b<%D6zPD475HXOL|(gUC%PBS2t*-E{3uZ=M_P=I+cmw`akx2KoNYMVa{A=r$Yd3;H9T z8&-S%{a5-o0(x$Y{HgOReZBX&X_1F}!+*cd{ebN0&y9sU1!48o{dMWjpPMZxo4S+b za}(i_QFB-864V_7_Xtd$fdPF3v1=Q!?~T8J-n97Y-qfgu19O83{pI7f&xqGSy~v|_*@sQZ(NH+Jh_{U0n2W`mLI-t;^6*`Bfwos;S3-Fkj8KGO3|#wip} zr`{zV+6%jO{BckZcSP*m{`YF(9t12>aIl(TTwnV{x=vwV1)1GkyfCqg7)D7#rX^4)ISdD z?5v@j5k~T4!9=HNdE&)7!yg4Mtc3#=mfpl3F9V=W%&QHI5ARgmkNoA#T~a95_Vk;LbVM=%IReDY!?i(# z01`1x5tJ~@NW&iBcWvd7JGL>x0rmriMKI}dKA(Ctkxe|?2k3HEW0qNJuRy7ziwny> z#rT#1$_h=@bjVr8FucM#4Jb#$L@wP?0F=0SD?y(2l z2h_qU;#Cw5teg(T|BUIp|Kyp+@4$MYha2*Vo&WfFdW|tK97{N5B3Tq^16$J-AbjdB zXtBu!&tIup+-)@e>lKmLhb^nKXXw$>Y&-;dG^z5h{Yzg#QVdJ7CHNX+zp@1wnlxaV zQHur@ZN=qj^~c>o!|9p5@yIdTU9dVw-CobMCcS2N&~)03G4o&pgNG;NE{57?}x_84?R3nq1cJJL3sx zy!K?!hk5ne=D=}VrscYwNxMJk_9x?w&+FW^7vn3|Oxr zu7cCEggS`@tc#@LW6xQT!>D`IqmH-PBl?94UiX8JHVM>+#gw%MtQ2ofF!3I?pt%S5 zSI0^5gdxcV#}e&}6cq0b*X(!Da|lN=Q1~qeBo!2;1r*ZyK@-f=N~|OLM~<$r3L~md z&-U;qr1UTZ4^+lZCtXpsj~(?`5OmSgC*%T}m>ZX52EUs~l0~__RH9u_>Aaa5=eMpB z(v2fPF`vZX_1LIJD8XP*#us3%L(ta8UqHE`a;rcHSr+!!XjT#p3AkA7Z}L1yu$~|c z!~WD!ncuBed1!kj|APg;v{77mjb}i z*at2^@ky*jHwyiTe8aS^Fmp_SC_EM7XtYNZXA(b~-=O|u&%%D=+?SdKCQ#1<)0OH~ zsa}=pRY3LHh>EqEmEFUb1d)1+=~O@4Hr1)Nsh?q+x(`m5RnzTebUMYP z8CDlLYsZ+m?I0DLkNrjXE=EDVkK8Q0Hlv4wGRUZYHb%D^8{u?38AP?rf8e)63_`*3 z|6q%kDG16_vF;l3qV6&d;&aQHX7@eq>btcnCzJ1-2fB0m8kb7Wz!VD>u|09Jx`8 zaXmCgVBI^ydG9G$KRtVJeCPIPthW@R8*%kD2Ym1Aa(b4sBE*-#TptgpzMoVv5i<<;)ecWyv8^u`)2?;Rdma`SMN z;J00h;FwWQn#!%1dzw^t7l)P+NB0{%7BsIAzV{z@f$%uKkEy*y?V=FfFK#H@INCFX z&8JVx^72N;RkAIfXiTfPl0=A%C%LjtZg7ziMVDR@aQX8;eQ!qHP?Obk>aPIbiNs8A zsw8V7EL%F~*lLF7xYDTQW8<>`Buwc9$`Di$_)~9bFK&ipD2ITxp*-yf&4ID)I<%Oa zioD(pt6O?HtSKERy)XTxJq;ns9sIZSmcVRabPmB>Mh^+5F5*pYtC<4~1++Qcjkex9 zV4tNP_x7zuqh?rp3TUxJbT;y7yA1U20Ny|$zs2dmn*p_FF&L7B=)J5--;Q+ckw<9!6sl9K;~S&Y84U`4}%>Ka7P28*y77 z9Dr7DgooKNGu)*&KEqCmAtHLBh{`pl?@@&x&jnG09vT-&>O*8yV?V0XsW%Dk9ODt6 zg-E^GsTn&vdwBSWZE4@L{-MVyZactRnIRnf0 zrYswOqxjXz}st93D-t9=Fv5J1)((x-5?@MfTY+tc+x zeYitVWdY$dMoY{D}azQ`| zQ8~$L!t3d7wYF)+ozI711AOKEwSO7V2n!U+0SV~NUo5eQXr*$mwTlS_M&zD>nU7;* z5#LYLFDmB*i>ph%(c5;GS1!8*h5F!&hBb7LIfz3jNv}7E3Qs2}5>mwW1V(_$ip51j zvV6FRNW1c&uI)XjJg6#w%7a>YP?OrPftJdHsu@f9QB)q(YzUPHwep~50$OKzDi3Pz zou~4k#-Xf7$CU?Fr=XNy*~){u9_Dkk&p^R?zRJpjn%chdpgyPv6%SIGKntFWFHuq- zszbd}hYd_5kKT$v?oaq3Jc!SOrM+0*V*0A|5%la^19r5zVL8MhdlTNe!w%cSVC{0J z?Zq@gzp3GW1(4YPgLqIYALtYEfi7I<1vw$H0Y~VjUl(6`l;UxL@U%qcu_^iFQ_Afo z(L+lD#;H?dT_CyEjFa#oTYh+>CS9$CXQ`A2LZ#yH!8FC;QPZ4Uj`$C1c<`9ggPV-#{j)6~i z!EZXe$RPRqT_GU3l${}R`Owr`_gI@cKfO#2q((l~LU8e)Byhj`!IEN(En2LEUI16e z|44nF%mRKvT$yg^&3p2nrNHpJ@S-0wL5b=}?)>Fmn;MyPo+>g3BCzOhq&yt>+1vBg zWa53_tI@qSa_JrRr#S;n*LY7$Z?sIIFp0qA8xKIGLpzX^1rjy$0zJ>uvLq&^rEgc) zBXBN~iA9Uh4)!5Uavbz zNa0mV=UPftb+NGVLAckr7-tKA>BCCAcE955S2`<)n@1FsVl0IwkYsIb zWCsj!xvl$Gd`DXN-(KT8$;jDwDmEWAcJm%LeJba?!>q)lQ{GaI;-is>BmbCs%3#Rh zaCWUMkt#rS7hq0Jf#L9Jb(EnleHy~Vw+Kg5|2wGK;#X8(@W?so=1;-+%DuKpEB<8J zC1`7_5qYUhy!Lf)gb(A53EcryN_Hj(6&wKM(ZRKiA-w|%lF%d;)+v?Tf`photNoY% zM>RvaOndg+cm|?OTP0wzKCJWcDg?=&)`EbsyO;jr20?KAJX7o4 zMnBvtfPSd;31=WgfvEbskUdZ1?0LW**;@n$KnOOb^TkK|%$|FHgh**NnoYA|;s3*K zi5CfJnjm=)>;OTcy&fL#m$0<6SKA5Kv>sZ?Y@9na)_RApthrM&rm(EL0WAM=S3y12 zICYu?><$|H8q`0783RhtM*!oCVGt@fp&f%W_}dQ-`tR<|AtzftpkIxtf9a#FN3J^b zSn&|Q)`PE?zZw#_!;337PWbpnq|Jm8UNFq$KR(y!`%?qi61Wm%rxAGH@zUhrxpDsP z*x+cY(Ti>`r4Qu!1%P$(_Poaa^ZW4`SZ?@)AZ!`0{Y%*ERv;;e7OmM;>IRsvODZVA zdM0_EB=B%d-u`5-h`u7~hOvA6^3@(9f;`2@NXj4&mf8ykwl}J*lbN_zE)4UlYw*p2 zz8*89TVnXaBe}Gg({6ynd1-^phUwEMwyBpOn7d;SwrCQ}2;ct1UQ}OUxOWF9?i`gC&`;gqkXr8bcO=mN@iVOk#58ls+v@3c8Sj%vCIij@ntDu} z9)c|W)gYS8VT=W!fbAIX*)zTvP89WqydII=zrr$)D4>@dRj_lvp~xbWr?1;`Ju7?* z7t78<#L&e#j*um1qF*^3FT^lz>#}Ij3H3P%0P6PzA)FHS1FFcx+YWi-V_qW>270cr zIY(F4_NE&m6ZDCF(0xrWI;A0;`}8$o9SmuE;HXWgmbA|f0|uV%ukp6(PD!BItL2ry zNE~`>OgX^@t2ye>`Qhs43X%uMhDzBIteAva_`D_7;>r>0yv{csq9)}Xxg#-n;_$h# zjJ+PcJxLfBumx=Ho(;7=>MCfI75)lu;$vL9a zv*9^vD??ns;qmJS9}wHc$&re!859PkwrfNwUWW%CTO_=>HKXBfs|Ozt7nN)?-nQ`^ z1%bN^wrx}>IniaYZQ}~P727s4da>KqjA}^jxFJ_Tw?T*|jBR*AeP`P=#N(;Ia!zCm z=IC1E%@9E3(TOH^J47(s`Qk=;9Ui?odMqP7JAEW0eeGV_aH{9~-1>cW%% zl-kS405fv@1?<$luXr)x?QSoQ5PEi$$HnYreX3b5!5n6ICzIGCG+*!N0R%8(+M5=yNmGGoxIrFA*otA5BOfq*hz7L zbDE%hhj5aZPFnQO;mne}-Kv+HOH(rxrzY(2BotSH* z=31gr;yC;zx)*S!P7tBlw8$D-pB1>_O5@z3+uSqJgQkpAR`4w5MadKDi4hO6E@iIK z=(+{?a43HkvRa)!0jiS&&Gd+o@EpQ=I?#cmsZ*B01%RT#AK|H%0xlS;p&?>#MuQ%7 z)g0riXB+Qdo?jTiFm>aYAtnK^m`CvoQ%a!0*JrZ3p=3B^}ck59K<>$Nhc9*xBFzysHVR9w8&q z|C;A6jYCGlr(F984miMrGcvI71M8uFV_#4A>N<@}-FgLH%?M_>#DUL%LY7~sg-3%W zNH7z78o0VDBx^wKjP+9J-K3}`dy)_`CSAQE@ub<9^m%4!J*BkfnY-|OC#_oGg75@Z zCJgR6-s)OkZ8gV)CFHXccHKCEdSU&ZRsUr+0+$Q#^3q+rlN`Xmk!S7~7gx3(5v<7t z&$@y(4edad_HuJAgPVk-b|txZO{4e$8u2b6LZure>}B=6xUk}XQXu^wi4kK9o89D5K`O* zv5_6~OrDLbWnLaa*Cio(SQwsLr`KtqwtacIa4*UJzzt-g8^T5ehRtfK6BF8qAw74; zoPUYkeVC1Cn#J$lk_h>?{_+L=LJkEc2$2`jMmbu8cx$BbsHvA(&I^qjed|K4$oHna-*rRO+7W9OgN6H6%qt|vg9`Sp^ z*j?8-=V5&LFMahhROACx_W5{}FA1{{TRi(MCy9{*LyW@S!Fnu!+mZM5Q!4E`n-3(dd8tphDu6eeF$eZg1-bVw&Y(67GU={@~cZy-n>h zREWba6Vzf;^h~7Y?XCEmi!10WCwe`G7V6Irl}0^&$3))~alz;0O+HOe>ZdAkktHq) z2MOBD$=Qq9&IT~FH<{HaC{6L;SUQ?b%xlUu?1K4D>-rvy(3KEDzP4t9M>Tt13BDf& zwn~yx+dYmXsVp%j|5*iZat3e8Gqf7iN#y5ExtB8IJo)D$Kqym+$A8v`xdAE0p*{9^ zQ8Oc6)U4t~-krybj!%xOcu|}dd3^R~h!-^zMZ7wF0`%vN7l{_YG}{w1g24wXTRV-f{y_X>rYw4>V8%u{k2A9&jFk5z;% z{HY>rv7cg$;#Lth`cp;N?kd9e@S!p_x|1NaibcK(My4|3j5%?>ogpV;5X3`HKYp+q z&Z_uQ_@^?GJl1b+_tn#kFR9K6FwE~GzSPvJ=K14GnqjXUUn=ISFzzJ2l+#zlz*g}k zwOtio($x7`<4buN`VQkude>8l_)^kb!c#)U<4Z+hZa|80XpbwtM7^nD?2P_hok6sH87oXtZLh0a(*iEzI?S4d&6gYcKFx zG7Z48>?Z(ZD!T54eTmTbwVIi-Q822VkZZfO)U8)urON>YY78D?VZ5MiIbm_0qp4>H zDNLnpETSDT$7^^+>xqkZ&-?+Rid{f1dieB=gr{f)ww2Htgn@-)I8u-J1c=pndO|CM z0ssBo%oVpff=!P%ypbg{$x9?S81^W`k$9Z=C6|&x_{@c_v<6-L`svx81mx4~;2?6N z-lv)DMF4n9-S9D$qVAo z)wOy9_c-V2jT9>>RKg?93NCBOphhLz7SSCc|mt$c=YpJ5JPVSl;+eD?J~S@8IG&s&bf#$N$-qHbHYWM zCpg`*#+>S8E9_hoV&^Vo&G=rj^qPrTdezMjoQ5}(rN=t{DYEmLsyuq2I~?**zvQ*b zchy3bohNzJ*sQdz3wzW=%S6vwT6anJR}YV0hpsifB|8kbn~fQ>5zkf3#dAo{X%4-K z``rtcupS;Oa)y`a2;NCHn&WMgh9m$*yi(Mxive+CUNR0K>cNP2KM`e8m(*htuT0%0 zQbm4wW4!9MA1vRKXTpz`!=-4Tdf8Ivqg0ls^fEjgnFM3Dx~8?{c4x@TjjIk7DQUiX^tY#rt$ptX3)By2yd}YrrT_@hg2@8iyL$qN|H(IiY zHyhIesTc01i&b5PK0IDM#kF8C--4Ls;iqTE?@upIkB?rXnop24$^Wre@szk#SNuMK{dh4#_k>7^o_jNo`l6hD$h#gS@~%_D>*zWRp!Uj%KXT5krdASNOFnf398Pw#`Uo&3u?WLj|>+_ zmGQxgtBenYa$1QQAFYiTJXOYrB0r9T!2L;XWooHXsr6ZbHJ9~=2h00tMJ;`Glmte$ zLqSw6%=1qs?}O5|7Di#8glL)Nn@H(2$x}g_6!2G&2F1M}eqU z^5*FH$Z_!D2~GWLdn`4e=fsHJAFoQh1Ws%+FRb&$_}w|IqyrNw_@z$qzB9PKYYI zLtCfH?#Sc1XvvO-)?H+GM0IUbp&1_M>)c&P2F91l&M zpD)KFlVLZR;}JL6wm;KDhoDE7=}~+VC1o#%usO%*9cFr@_kDxc$N<#S{@MGEJ0BsoFygiPmK=Iq#% z&9q)tM}||Q%Ie_7RaS>WIqk%(j`l{3n<}eAks>Vf^ykRyXsdFm{aJxEm-UDT%j;-I z?Rs^T1V*;|KvXTv^-m_RgHyK_N@4GVXqn}ONbNSsAHf?H@JO&G)F;7=hqZkYnW^n; zoX7c7+-L4LCBwZ|B<(&liE|w~$zeCdRx;Us5LK%fY^L0Jf-%^(Y#g-jA_g1n;nBxn zxfok33fqnwD7sD1*i;lYQ!!wmswk}5u8P8H>im3B*i44qWE57XUTuFIR)?ZT7l$oA ziIUQnL)e@v;|}AnDfU`vTj|c?uzKz(Y73RJfhyZ)3v8bpHcu5Zd0H`(Oe3an%p}QZ z$>WfmZ=G?nDII6Ms7ZzqQbkR8aTPUDD5sMcHR)_b6{(^oiX5T0#{3j9la4BtI-eC- zb6Jmgu$W0Fs)MVeBrvj7eNnYA&p(-%38if>j~!ItK4 z#xlOLGRI_Ng1nBXPZD%QS)nY@YkSPfq-J~)FRZuj5~)^Wj1b7$Hd#5LtVrAT%%6JW zn1&Rr&yUT@lJp@kK{TuMjr~gLYS;PCEG#H}I zMP?}M+k7k{h4#>!Om@9s=HoWGyh+M374-!$O@|3pH8mq^P$IDw)(W(nxjzdubr-B8 zTK^AF-!xP-3$P%@x$oUeEnPcOX{-@RLtbds*O7~*W_%7wy)7c;nuduzE}|8*jEMIO z>amTt3u>F3{C<4)%0oBHeBtRlE6&w;E>(!}0L?{Cpqz*h&EYkP?PST`6H&E_7-wot zPcUNKkzFI5yNDP^dwBE_W2(rl6)*0@T{AiZz}Qs0IMXO%psIMW+OCQhYwG-b@#0K| z-DJEtZd`7Ev{;9rM;9$FK8cdDmqXZ`3-=DA#VMYu(q5uFix%s6r>GaGg!iZN`cz(@ z%Ii~keezYUygrrJ=T5vnIlMhpuFTWQmC1D96wZ}Na@XVuL(jL&Ewd@>ZoN#I4EIZw zDZ`7aOc{l8x`~-G-Hn)GRi=z;IB{L==g5}ns*w)NZ(pGg?%NWWtPt*qhsMenYv5k^bGWS_d8g5J0Bb7;PVfw*1G)!KlQwS z?))0}nuq}u@WzNnTk4T1?S07huB>shnrczU8h9~_IIpil*D|jGr#P7I>?SlieOLTs+M0Ophg;wZ-Aj-d~w~mu_M-mGW03~v@JZBXUw z#;#kxtQ$!q*(;2y3)j95jNcaiYHpCty9A!fO!m|<{E4x=at(O|)VYIS0U)#hdLP>h zhjPHkHRgV>be)ou#ET};{q>O3McLWB}Y)0XM?lcnELG#0qKkV++5dM#l0l$I8%|seF})e6 za8!Xmpqrm_H1~o7GCNIF^Vu*y1E~kOP}e$f1OyUCg)mhJ#lzHDWpqW%KBvPK>RW=o zlhQWSvFN;HMe90M(fX&XXlW5X;{=gHj)hV>v*Y4O9H>_Sr{Zm~1S{vO@z`}8V4E24 z8pzhH+RGVEKwk+YzBlt23+uz61@$W(8Nc=~y|Ju$bH7`Wz1QeHW7&^^M3?;6C zk+@AX>L=At)3`*XKZRtTQcaSV)aKM?v*;tu`11_5_Th#9#Z5#ssip3~A3x%Oy@=04 zRc3UONrK2nO=D?AM~z!_f;u7U6d5z$^6zxeRNB*xN5A)psyW84?xlA>bRsA>HE^!! zY-HHF&-%GM12~tL>6{1hV`Zn)79ZAo_g^bex>F{=ojJdQj7q8I&E~6RDxVuf@wxH| zwBKG{B;XptLwdFb-e&iy^Yl@WcDpLoXPLgi$J7LvoWR+AnDU5|%Z! zD2bn8FpJgfXtHz@)0bGaQ{4W*(*3tPM0L{{zV?FUkj6=$C1huc#-SpRTrHMW$$wJD z?tY(R&^1LnU=?k`d#QuWT4i8xdzzSt8mam>8hDgcGfo;HSP9A~)nWmXvq;gbm@H*bpSh~t;`_=R*O;N@;s(V!pRA_S8zg#{kbSsY<%1~^ zpMaiot%?vG{vbco_kf-~FUDe-YnZD_)m^O6MCm-ND?$&g`4R) z5Hq=Ph$O(V#VIO@GDlD9zXJ6ncjXHYh~?cX$>SscY(mOm6f7rZ3-N`@8OV#2Ax>u{ z7@|B&lwb-#9z43masPEY?8<} z{O{-Q-VV|8Pu7wvMLTx!@l;hNhK>QuC&@N1O z;S5g}{`|!MmU|fZv#yTMe@g5yMpWn5UcHg@Q%vjUKcV*jw;$fpy#~flqC!G4B%FcZB zx<-^GB=!sYi_26h5_`qO-r*5CYcaVO+43D{%RI|jlmYX)q_>+5kLF&O==V=|bmjYB zvT3OlTjr=*u(Bb%1TPrp|DfmAKJhfHPw?>*32Z+sijUEXle$_8xC~t z2Of@5Q_FMyfA-#WJ8oM^6n+&P&a5LjpSpFkoo&xf#)@xI;)}+TopZ+a;-b1KHAfWL zL$d8?=j87^z&zqS$%g_65+p&O0Jfx-(=~fdEH*BMszRX(mnykmc+)I?`;-6kb2S*C zu5lz4dMDxU1)EkX)S`csrQ#qvSE2Pa1WSjPIZflKk`_#Prb!XR2XS3kVpo`%_oEi5QHpRjr5AbImRn1r*ENNha(4z4^O`6CmRt~JZPL}sbwN`lMx zD@_rP68d*dMH@CSJ;}Hr_cD+Hd$-O2>A8enl$A7Y)RqXr|5>kx(o$U70AOB9tAF{* zj+faT??Y?oEhR4tC(%5j9P-c>4Xrhi?&5k+I(Jm7tGYOsh6C4QeNC2EXg9j=gVbO) zFgbXOIiyl~T_5F~P~&X?jicx+;%_YYb!_VMz`O#__%xVY(2twT zbH!#U&c$bi>+AE_Dx}_NZE#M$i4W%(1$(yg`J?m@g|bu?Hm(cC?G_{{<^kJy^QZ$k z-q~gt!82NzMT{HU=d?hWF(tFj9x-LxFTfT$O^fR34s|!f1WqE~zdL-IUQ+p>GiY<8 zlzZ?y|GDvA$T-5G4k+xk96s}3Wa*`RbI)eS-qyQ>F3Wqx&}-|cpz)M!wH-|K4QE!% z%C8i&qTG-$H%}Vd`{l{g;LQcLD+~|+Ha^pT$o3-UXkZz#*|`FJtykjAv*9lndXjeVl`^+_}tWLgfyy+^tBab!_-*|sai3cySs5w-CKsJ>VDQU#zOEs z-L*Q5(4hrRD{O}G;BIi++`5x)ZvQq5lj@xvdjpJVKoWhc+uBy5Ph4(k>u+d-RKEyg?t!(*5_M4O(Bv<8*H8fAEH;iLi64Rhr{Qx*#u^wy*4UuPyYjoJ_ za|r3Mxh`jY-P(H+vtVDFw%2vhThu$4V#YPi$XH{6A({+z!%f$QNnvZ5TXoMG`6V|k zo@iwy0?9D7(|(D8Q#mFn@T#aeM)@^H|LIgHg%MYpaQ6;f+5sUBJmmwrxWr#d(eRwE z|JbTHO$#8bF&C_IT_}_;80RSmEbg$W!H#9|I*qdc*}k9+uJmVQs}=E5U67ovS^r)U*Db=WG-BdlFyG`%#2UvK!`LL0cq3Q&mJr7?+xLTe zI|fTvZ-6dWlNb%wzPk3RvX@y{<%|yPbvsHK_pSk@_OOo-miqWW>y|Vlyy;3p#wUa! z?D=O=7*Cmw0=sG}((yx!o9m;7-u`;#SnpJjVv$LE$ch)9%a{dHXLZ;)tIgzVp8++B z<~?KFe2`-m4_XlhZZ_NaI!>C}UGfg6ZQYBxo#Y^O*f-2;8B~Mqt)*3#Iix5oQ~U%w z>8y2^I$8edVru8`1Vx|W7J9#Ut-c&YuzogwICSgP9 zw|HYJUf)-fH|omdA%;hI%jB)RXJ;0jzj-tm~4t_NT7+)p<%AnXZ}%$P_fL=4m_E zl1QwiaFUyeO+VsjrtF(%wN}WmH;bmzFc}?(NkOZ}BCV#7C)?bW{Vg_AL1AiE*}cT9 zQW2m|9;T8D1^*!NcoFs8#jLL#U*$!3d64JPd7>~D6b-j?-R^!r+M)m3Rq&%H?`-w^ zQWZ$M{g$e3kEBBsh2*yIP>ircj53dyqG&QibuDd*h@?axR4AHmS$Weahpe&#wJ=bv zcSVc3lc13kP^}ib8f`fD(TSnEY3Qp~@#*NRDwUi}mXlq+)YzK*@@0v`=`L%wol?HS z%qSjnIUjsq4{DK^^kr@LMdhcWL~k2a%J#B`vQS_0c2lzCvbs8Pd-bzEfqPXfX)QZF z#jF#$3s9Pq>ICoA&mEkQ&GsaIuYO04RhtODDrK7xUVu?Q$bWur^sPxcTZhZFvme^e zCr@S}5dz5b&-R37Dg)clf3Q6P{wyFptFjc2J3Uc7!>(=SQK5F)sFgzA=V3-J7qqQe zKzj^$hU+@_u}A{lRSA1z^7ga<%%t3Yhf@}TtIl_*(2Ha86oR!vXHb(TUY{>c<7h(4 z;4GcN(0Zq|9xZY~(u5SVEQEaCMNT%y|bCjYdjp&M*|i zE1NA#joS}OK6eBu&5LJMT6(1>%W=oN|>;3WoWLF|J9E~Sfgq|=Uu!E zsdfrt)=oHu7=(=u6jk?y%vPjP6uLhq$J7KTDrducAX+#MR2g|F;pw~p+5N3_vdH^) zuWpg%Z|Nf2W8LhPk}6}WD0VWVn9-leBuF3`H%KeYNuI)!$vJZ?$pP(h8f6sExP9E! z5n<*KMLlZp@JNA1slE;EmTsq_&E6$%NOxexy=Ot6AP-DwSKbFFZ1>U0?!(8s4<6tD z+j#%MgMaU=23g1gn!QO2wGAg*M@sLtUh!mmU&-5^94^E`sy$SB)Vi%6w3pf|Yeu{@xmws9iZhs;Ua_N7OT#b8?;1EIwvWcO-oG z+c~C(7|^2buNwQg?fT&j9?|+ymQEKF9fIwG9Xz7}buH|EQL7X&AzsyN8R9FJc#7R3 zX-}c+EAEeW?kj!8+DBB3L^ORo4=2E_y#^(k8wpC^vf4;!R_xi#@jg;}BTNA8dXH*T zy|1IE5_M2}d|lWe)i}F?_k4b}wu>5*OJZ)VR(t*0wwbP%`O#rAVViCvIAxfUquQXS zrfpGjMd&&LGq|w_<3S^Wd2QuvoAX}EZ2yQ$(RRJ+i%wLT?G+jAHPdCUHOq+p(4x{T zr55R~KkX#qRwP%fK9^DQioL3(jqNH{GsB^h#`j}Cw*;gN7dlM|UG>OC7|uzx|H3@B z4apj3DTB8NyfgwEiu--kkO?E|f-wh-O%-w$L@{M+cWbu!q3xS{9q&y=Z!CRa%7sg! z(sLF~m3y*h)U_4(IS&w+Pk0c@{(Ze(wzpbmwg<5G<|XkIu8`+DCy0zWQ$0ZxTms;cZH`(}A5GNR*0^k(OSWxI z<$*khUaZTzSvQZfu*h7HZbpm0G2Gjxjx*{ntC00KiMTLCb!e+TtH5J12>#7|zmOU`VWl8CW|@IWy1tINPt2-US^yiT z5;X}}LF>D~UyQ!Gs|59mLjPQMxYjRcv*cP89X$KmF7~f#)DX5!CSO;o0}mKOoU~MtYi|URWM2vK(86} zBQ%E)W5v+3qB9>w&`Qt%Y(ROAuok4|EV^dp>+Vld|LH8GR_Wmx%*Kr2z^XsiD65LgmY@OQ};jY^v>5yZ$;bC}J7VMe%G$=V7*>sQc7H zP4e|5V{nHj85cIYUgdc<4dGIw9Y4`?$D$~n@#y8c8B95%_@KZ-S$+12nB;H)UWU695*4@gg)tuh!uvsdWe1wN&?w-3r*SU}iVv zGjLll`)=!7oT=Uf*Ll>QNid)J1UgIxO`v5=p+S>~*n7ck&<7T_l}o1}!(EVFbv8O8 zR5O7bU9jo`z+y+V3(CmK z_EKmYWw{G`JG-`(EHpZRg@9PKZ6!^{E!-~P+t=+JScsK(mS*sXhv`z=gfcd~cU=Z+ zW7oE(d!GQpeHnfHN@Y;sMfb|i;ZH)x5?h3#r30D{3u3A>)zeVgefCJ7PyeAl` z;zH~y!{8~*;En<*?+ZG~r`0-GgQds;SXZ$`%v!7+7HR;CaoC_#q4T0#nz2>!oecBg zEoPMaE`vE+x#gT(v8@EbWPOf`E;ugn;u4wnM7kj%;%l07!ZiV#6r&4EO_R|D8x9aT zl?D?mOCq=?yV!2jC_~Rf1)l2;j{{o&;K{O_EZ-JF;jSRCXHDORny|Z9+J%8?!>W>V zHBxP%{ZwkJKRzY!`IETu|A~J5#BTFF-rg2(rQoSlK917rHoy2`1i!G``=7im(NgIX zLQ5a{H-JCtfAV6?4dLA#FHSF`qH01aLz%;iaIqWrmduMQ(b_!CBS213Dw=jW{KOp; z`n~>KSNoIy^K&&gpu2Ho71k%=?**I6DvYCll%?VzJ6B=*H3VCempM&ix*#YDF=d}7 zMGzmv(Rl(7GkA?j2ruIFq=IE8O3oF9CTW~zyihQiutqy&&SS(5>eOUwOucCC zPr1v>UwhN}_sJv1)}oxQ$fcE_(1G0wNLs3Y`rOkzZ8n+~Gd?Vee^^Xr@&pvnYWA}< zMfpE#D?+ksN=phH0m+6cW0UYQyW@T6&tVJJ%fd-Cj|_Lv`@x$?59++857~Th2acpQ zdbES{>e-vB`SMYmt(OX5;{-voOWCqc+>i7^@c}VlWEU~f01vXZrvxq;h ze(&_$tP6HXpq`|4!RnD(7jVzkShPUP$7)?bJNE#V#H*gTec2uFY%_czHWJKg#?$R{ zS|H4r%ec*APh{IKz@j}(i|XzF_LD!t1g>Gce|Pvay`+*y=kex7IpttKq z9y@;AY(Mevng1e7FKsh3cENquVk!G8-^P{(`hj2*Tz4|W+$}fUY`P?kW5V*3d@v)~ z$qz)3+4xNVA^RA1M~v4sTclZXOE-Fs=Gy^4FRKqp_k1a=QA00$y|TI9Q6Ln zP`VZ<5$Sm{ou^TI4kF5RTLb0O+E~g4nS- zUT(9$)P`;v!0i&-fNSF3lbFSM-L$<7Y1fA;+5gCC7UQ4hmaD(PIj?{Z0m_Y_ZtU&Z^*nX#9vd9AZCsroTb)%3cA|X z`)u7)#R5bU?=ILct^owUKFo-5@^=G5G;d z#Sn!s<8tuH?EEoQlK@U0mGZ$YPD0!t+3xM2-718-13)kn)fS557Cw==J^OV9ArRJ2 zH!KyT{p*TrdR1YjFM#xl;^p%b3_WNax?p8izKQ3bMPWQ;dJPQHtq7;skYjLt%Yneb zIC~5Qv_I>IXQe)|iW9*wOJ&(O&Y183j^YZx4_ElH-o3}8KO&f7)K&(jXzLr8g3@rh zHdL2LDD(W^f~fGLGad%@w;(Ctao-WY2UHbJU^@-5U`jxf;88c zL4W%vHE2bSe*c0lNLKS{%>RXp?3(NF*Yhq$y1J^pU0&n)CS4YqQ^;<%m>4kSifH{* zhkQFvb=q)E*V<)P{e*oEV0wQghiaKm70mrD={bU_BlMF4>qiFH`>ep^UYdrzdXEJ(BhtD}*7*UJ<{K^3VOuRH z3Vlfv?>mXvpxOyAX*<-NWH-{Y+b%it5Du!@r&lUN1l8b5>qYYhxYIU)Y&Zi`omJXY z+Ek#rH|}liY|(O?6qt@^ z^R1DalWicExfh}hEZ--qe{Pu{@|k2&yNKxbfUu4nD~xdF08m86Id!b8jbjI3p(qec z1wguZ07iK?veQ^#8GE?;i%5Mx4c{N@aUgHkmVKcOx^A{_*k0cN+lIObOg7=a*JamG z{eS&d4eg}8)L3p~v(|93R2A>Ke1FTJ#@`q)cE_`3_P8u$U2^~lfNB;=L-H7I4IcBlO zQcdcstC`PQn)%iVT4QV0^e7GQRVPfQv6&Rupeqs+-VJ&fLaKCMIM?|e}WzPIw&u0yslhf%`YOvDQWTace$}&rr|BiUpQQg?n8OvV)I>=bdnHnlN6ImmD_;A;q&;E`6Wy+k^#a#=W8k8pr z`~t&WmbcOg5E)k=h@H?)_OoC!_W4jS0Wt$E~{;+v(EdO~p-69*? zR4TtjQ_8;WCPhSO7S@V{@z*rFfKXZCNR${wNla1SxChN$21#%pP7mf$zI`BMy<>1D z-y5|X+qNh6#F$KM=ZS6Gp4hf++qP}nHcx*4_pMW>>QwF8pZi1i?(Vg&weI?HmV`7p z(UT1{?HWqsnJ*!sCe~6=rdk~bmgxQqNwB+~tp-k;^M|j3`Aj6LV{)<-(E#mcn{-vWGQsSI%IS7J)2;`1%C($L?rVrB-CvdJZlgoZI;0SPnaa zf06k-#%Jd{posktUKdd=jI2JW1{m>D!qF~^1B#)cewnc|ROWY3RsSF9xMms+9`arc zXMbzz>Ny|(ty>G+qlkDzbb9;gCB^z}pvAD1^`C}`*I4Fz2Uf^Pt;jH` zmrVywLWUT}?J3~k&_a8T7P4yUneZ(3)73G$)y?Ui4{@(>OFGh=@LEiR0Q=N|7#YPp#U|aD0f$X zGbsMT+C_r8bf3T|tMf1<=Z%f=gIDP*3;u#9M-3C_>ee45+F|7!pObvTwAf*x?F!Np zXgWM^W|I`vi#jh#AXNTR4qd^R&;Q1#@`@Lp-O#6JY$7?~OK1F65!G5Xm zq3lAIf@iwiG8eSbhNyAxCe)Rz{>wY-idhX~2@`l8K1gv-b5y7C_WTjSi{|GCN@_g! zN(^UrWAk2_8{%^}?IrnVjjx$=E@kA~l+4JbdQRM?NfNV#Jb&dGuXx!uxe#Vv{PFB~ z-?{zlj(jHMd3lcFnxH%`?emVuFpn2yBTr~Ydjuh7*e+%Y5La107GKME6Lpt&B z<;9;p`+BW)oIKPdvGeRS35|(qg2RAnuw_p340x?RqKvom+iOk{mXpmBuL)_%i|<9TEOrd{&aj@=XnvlWn4 zu4yUOD9TaT7IZH1^xYRvsW-;cEw;H!NS4#3mW8>jnv05zHZ-N-0Tp4EQ9avu76?R= z$+Y%-DHSD((zmqyBzK!E3THa;(-W75WSKxqxoX^%cew{~PAkeNfLu$*J*m0O)C2zICAJD9 zIkG?e$-c0=OM$TRyy^=_p5Z!~9^R$)g%;dx(d03t<4zz?hO&h&5GDAIHO3fdk4P~4 z6VC;0Q~1OMEXwV?5|mU+5l0vgr0~4>=LUl9Kb4F-J8E2;0TcZUe1E_G=w3Xaho@ zkaZ%brNg}qm)2Aa^et2>=WLu8(_rv)8oe@#K+~T`n0H>)A9WG7`K<>H&b_Z)Vktxpgu?*2P*-n$1x0#s`3^8Y?K&Fiamg` z8y)AkA^eC(c(f`I)>2FEoI(TIvF2)kmNuG#$=b*f4KN@SE5m6Ly%Mvc2aNV9CO`Rl zN;1a28U{*yv%R_?jZpxkX(1E(6}p|`{!~ACmWaozl(+WwB+g+VxVIiL6wfav<&H6a zjEQ_JF0^N%9WTB|gNTf8?e1#Jw40LAE$&&?6dlnd9Yt~R>Wm6Gl5Gl~f^ZP7SsQcD zjUDn!MRoYxf2x=YSKIMwDS-zTG4Vvi#5v+qefrG)<*u5uF$%K>1q&<&eL?prP{O5x zve{EOJuLSe;LB$Iz_iQ^uCjOo!?e5}+}v*@Z--v3YXVXl?+M-Ni_7C+75a&!FC~+~ zs7iiu>mOiADII@~A74%q{1(r7LRa9RO% zHCQX6=&sMtKTHj13FoL29cMS6?JCXmaV{hh!M#xIr3(9*@yfRhm+!J(Z<5PV@n2d= zQq4w|H7pL0(gC0EhcB17s4mNK>ol#)I0)jU+vP1{KFk!S<5z5=R%CEfmt)`S)^7*Q z15ve#NHF@16CqDX+zSdL50Aq~HMoW5Y_t~2S~@dP zy#{3dd2SoJw3rXL^)}>b!(WY}_a}c$sLN$;s%bpdRrOh-xBe{6@~l1nY!_C@Rv%Hc z1qA9Zza}(n7D8N~p)j#j(IC%;<#jlM|02l$0A@t-!rFgRppej>XzM&-MK3w+iCEZ5 zBQT+ikjWmtql*?K3+b{T+!B^^$p`v59X1fFqi*G?hq8zW!-^_M`53>?n59YD_ImVg zU;_NGK377)`1un55wX0e4+iAWRT+vw70^i*QHFI1}=0wST)F&%V50 zKQH%UE%jnC9`)tu!Wlna5qRhNmk7TE%4os<7G0n=k{VHA)e1@(ipNFlw)MgH-gWP1 z_+Z_m->{LUv=_9)R9Z(_%Y1K=?uufP!+60kfNKy3;NErGt6XB!#}DVk5JPBYYuqMk z`JWGM=Qz8d8_sa3zD^&FT#Nh-^iNu}xlpIJ*i7vZUb1|v%FJ#MWutZXe|Y~In-@j_ zLjCpRlpuGhUAeEyf+i!GTd}YDv&3qm3}y$t0{2xrU|$Uezarg~X$8^q!KZaC;*$)n zle56r8p;R?V8**@7;)OY23b@#1zKc4cKz)9Tl6l#*nb@aIV`*!40v$CQeb*J9^JdZ z{NdTVd3JXGV7ZT1dQTeL;G%g1(KdRS_KCjp3#0NtEve?Od8Sm8KQv%Z`n)kk%9eBEM8{2s0u)|g>fxRc&D zwFhwikj>v8OwadC1NYdjqsPaK%K~5bTf@`ecT{R*jw}oN92y_{gerV!t0W1xD{l!r zulZ)Y;x1=t)8Aho2_M~ag=V@R2DVw&SA3p~osi%s3NSR0FmAlkqvkwF36az7_XIKK zeHUk`cQ>5?aEZJtmAExL!`X3%YP~p^ek{uJ&e0|F@-C)1HG_2Pj#FmsaxJEC4^KNG zNqEta{1T@?#+6>7DWVJtLAnvxI+yGT%Dy+;M+pA8kCJ#sL}o@l#F9P+g>PL1-1f#Z zK9=Fx+o?IYDTq~}J@#VsbI5kCN&4V4ZSUPBO69tNq&+Kt#&Y#?7t=j5USB9ELW#s+ zU1H_M`aXd+!GA_9fUTZ$r3#zIdLZG1I(Ka*Y8uB26vqYM!i7E-ISqnxBjgUsLoew0 z$Zh$X;wFB~Hbof|#nJ*0Z}mN?12!sFP$CXH+{k_tZzRQlVim`p6aG5qNt=f9JX6E* zJ3tGpCH$Tt+LCVJZw@g#5;T|`QTH8mQj}kQ-ZHCTh8JE^={Zn)Kk8l=a~; zp7g)Tt2!T5{rN?gb@}H>=_k*x9CZod@h^hjg#i3n~` zlDLc_F|s3X`lrS3zMsfVI2ss53)r)d);$d3+wyzDCE(DYoy#%JO4LjT@eCl71^c`RYi!+(pcw{E|Xf?Dy{#jhDEN-X~ z*C0jQxQe6&OLaS-?SoLkIJ!DUAG30fj{vgBc($}x08xxf+e{`?HXRmC?fo;CgYfh9@{7pK;M9=5&%zMNvi!!lgS>gVTfN=Lr6m>kmC$%F%j2z6kw z2s1R=W7qptL;tAuyPcY6Cq&W~5M=b2o09BgKUMnvBP3V$gk7b~SSsQ00ZV{~;SH81 z9b!4Y;N$!3RetbK^&YvCx6yk4u5FT?+%147}A=bE$E=+;it{lu`eGxGO9XmREH$y%zx>CWEn#Y zAZWH&XV{XxhlW`n;|0rhyT%HiPPQeU0=96az=zoWr(m@RrIfo_IDL(Cw=!4D5l5E?RFT$CR2$-X|!k9V04cpj7p+cbG{71omQ zn&yw}x<$`X0q2G~a=65519sF73X}x|=xEh?)rzV5%qUlRd|M5LCxR%Bo5Xg1#36dW zvdHSl=e2wxBhiGlVvN9$5Q5g$WkT}v1uAiy6r@sNOT2>fpz8w%gK%NrcYNHu%I0+f ztqkAe6u1b8+C(=Z2CClP)yAacMY;x6uL^CpJQrKuveP56hOuMTQ1K9%p4=$g4XPso z-mY+Kc`q+TdPy}ul|i|-ti#|lzLz9qCa;^6eF1JN>y1nsd0jKs2BYTYhAa}V4&Ke2>i!3d~Iikddr0bxJ z9-BI5ZYlDm@*`{`Q_ZDz$qa4Y$G2Qf(q+T7-5gS^)bW{JpF#;t?P_R0f0z1eWP5x= z%xVV9{29?Msc}~VT^jDVU9m&7pq^wawaY|*wUK994{)-q*KR3Mxp#~;vK3d>I5B|| zbG4DwI7;Tk!ujnu3Vp4r5tmky0%67^Wiih(ozECP|KP_ZB$@m{(27UvV?F7G8Xrtxuh)>ohNQZd>Olo~t6ExYy|~81@S+<96-k~& z54dr(IdfsL)bAE94Q!Xc#+)t@bH~&bk8Xn!p@!W(a7mJ@8*1m1UxY^3mRH|ch2v^i z>6SXbLeZ3~rz^IMMskP#s=^lFQ2$ffJYf`1EtjKCawvptP!DgrsCo!L!`F9f?6y4E zK*849d{&2kqJA=hu*jV{UA#Oa5TbO+_>krz-bg29wY1y^X~n%RVSyP>7dqP0;$KQ; z&&mw$p3bM8_#FB1<)YnW22E|R1AW@D7~9^B@?W;>2A0bp=!^lPLoK_VnJuTW7OPxW z>+xSjjbVFuyF-cLOiN0DITFkObQq&VF$+7EUh6nJ#>t=HMhO+QEfy_MCC0CKQ-T5Z zBn1#*V4!N*I%^3MvpoSsGLpISqIFU7)7HxBAPb=Z zVO|bE-lE^BQ9=m!7zX+;kc=WTJcv(Bn>F8j5MRs;X%$TNFLk1@(ksm5J}tS17(yUe zxYx`E|KHB-@8(9(qqCk8fzJpzFKNdzcD>g)*psLafvZeHg0}q#$L|Zep#)HSXR;|9 zo>uwL=n6+A^~@_f0|FU5lDnO!!HnTkW0Dy(rsmRAKGoX6$!5;rz3^XFv10ke-yruJNx)YW_T4W-6m98mti{!9!HyjxI`yX z6@zXQa4M3QyCrrTJnjf^hp6Y33@eqPq}UKT)b?WkK1LfP_>CvX2uUV6|Qu zevoIPt0GT)(Ut5nWQ%pKa>GdTb$`>-9=gv3>G;$xcIvo%#GJs5(r0WQtc6fpD;+W} z_;!^hD|i6B+Tws-YU@HcMyqNkmTZ80$0RPPq}2w*qnFGhJNN@|tb~;#d&;G^xd1c^ z*)tE_1G`tb(EEFP-Hz)UxJCSI zNWSjnbMV@!LS99au9(I5S6Q+=iWWV6w*NeeG(vnwjtExfMY!SMAhDX}Pn2o>cSuWk zh{}AR-pC&8dPI5OsJ#o?Hst)F{`;jC)(2IW$={ui*+S;hpfg`~AONr3#b1ia^$PDAITpN&R;C>(l%7*fl$-?M z^|0*9cKgLLJWJ@alK~)A#`XWGiv9PSyYRqGLuUXt8%Jdku1*2AlNkazYEA9dqT)2T zw1&nK!L-XRSz*-a;&1P27uIGG49-DER{8h1fI->b1AQhROb~HF3dkdJEQFLKz2s<< z-Y`;kS8+~nq2=Agp*yWMU-mB; zgw`&`S7)ke4UxHlKmsUrUE9W{wB13zJS}|#x%=Dwu)2DC&Dk@(-&HMSUq^RX_nXRH z6CZWVW7o1KTciGwGI`<0MTw6V(Q@{XAhwNtLg`0x8iA={=Y6(~b;FycjPyV5 z;P6y2{rtI5edL0b{U2GUE))Jy=R3w&DyhWBj@VS?sXuG!IaS5i+Tp$F!t-V+5mCEP zG|&dI$c-JsJ1Nc$-J8ZizojOr%`!(^ib({$ez^-017PUSNXL~XxVpx|Z|;bu^Y4Xn z*?xi)iWt}4h|nW0&gh!4^N{TJ<1qTX-5HoFkTv9vqKj8;zhMGx61) zM3ZX1AoWx$Hx*C%^2g;zEnx4O!H#syLqwtd-??eqIJPMrq?zg`rmz9@%WR7-&UnvSvrO0J;MHV-|%)sY>}-k9Et-vF`om_R4?w`I~La=VoV{+b=254(nhy zz2TU*timDDSc*5=kj@1Ma#XmAZ8ok!v`G9=1?fNBe;m(R%Ig$SZFM%$${sl*xZ8Z8 z{l_Bd>`~%s|LA0;m)B5@8!LlxP+Ry-k7A!`U(0LEg#GJ3+}|;ncKiqTPXnx`i*T|W znDd4IiK=sKOF5ab#JteOg)gztQw&ir%z-8@Kbk<|ZWvHp>5mIvXcT-F<$g|dHnsAh z79mOdlNF4*v)cay{3E2ySy$rK7z?j9B^Nb3Gks)6LCsWYB}sGovnNR`yj<4iUt7h( zM-tPyPMfIFpt>4_iBD7}T2xPNXn$CYe!rg1o}d@9YF$%@?^q~Jh{>bqP_lu{H||oo zA*G4mlvIXVp}I<%wGrCstyURahR7(HwV|K3vexhESuistl5-R?wjNZ19_lNK(7h2o zDJvxaDky)ze`={I*pbN2a@AZoZf+c!*w2mHN8LfP`GlFo2+e@q45cib=t`Y&8tC5I zO%gpR3(Z1UYWRhNkv?%O`SeRkBvD23mjl`m{jtuf?ahywroB${Y2ODFr_p|&te%#? z^Spz-GA zb4V4N{J|Ehrz0BV1-R6fQkC>0BgCD~p@bgmb5z0|HSuasbXzotHa(MwrCn(;6g*L| zfC6x_UXyyFP~NpRGz9#_0$iOQOWo>`0>Eg2%B%;y2u~+U^VP+@U?)(M8I=M{vVth< z<-d(gH6+D;O?|Kk)Ws4+ITQFrk|9uc2G zmc}M@@f(L&q;@Mqo?um8F2h0-V(&q5?pLBfAPoTYG4F5VScOS(b43srM?eR}8%a+Y zQIu>c;SNI`7LwZ?d%y0=&MVEXgd0zS&~o|r2O{BMxO8fjti%OT#_#|T<1+~+^m zVDMINulWUprIP!eJ0bLA z*B^cs*%Zn4(fLuw(ZRd$ejh%I__2_ou!)z4oMdMp85N2*Gwn?q&T|bpkFzrH zVx3W!X^ zo(Y---H+*lP$l8CA~4-+-FobsY@*3eJ2n2pofzi(*6tArLh72NZLUMW(&55wQ0ReR=^GBLz>)?I6OUU zed1;h1s*$&>8fb-g}ePAQjfEL-}Xkk$@Vz&1T;dFz*O&S!;bAI1Vk|I*1tpFOm1cl zb#y$4H4HrK{=OYwC2?ksSl5urUOmnvNXT*d^{5t$@PxG4L(^dY`q$oGd2V$aQan6q z6aMyYUye%;+2{U+O*Oc=JoOIL$VPzwJ^>kPQ0O&|^%SO?X)tW3C- zPj2iBiZm_o@+UfQ@XlunP#hmae%h%heJh5UlOo`X<}^-Pfa~SJl0Z%jo=|hBabuw_ z$<2VHl@;#a9o+A23_a&V!k#Tb)gE$&bwJ%4H;N&qtj@e|=*uj`pb$o+fYSAQ$p)K^$6l;53s*<+Akc|W~(I*N&;X| ztQx$1HP9xuc#eI-P-aAX-4P%c4u)`OF9_ z3g`ruyb8bKv#apki`{`V+J93hUhlGHRJZWM2&>1pabJWbD!p9@Ue(H?M!sVy+!lUn z+zwtD)&bu7LjB!>!#17&DN(b9V+9!Z$d8j-&+r7DA3?Iy;+OwsCk?h{ag8Kva92ja z#42JvK{CLuy%sKwx+;F44i{+HA{ehqPoPB#+@iN(uifZ9Nq>**g3ZgdXq};HPc3%> z=j&JV<4Xpn6>?)X_WR{Ny_@P&-7%mPn%0iwC;^uI2B8G^u8@7Q8hcIL@nXFumI8RI z{zj4onhq4BX;<0KC+T2XL2S#3qV{?mC-9$!fF>FEK9v|^_NM&9F4*U#=gQRvUG&ap z=C3c{FIU&U4cUE~ky4_=ezQ(!x06>;}aGTPHQ&72} zTrNY(+HA8oRO<6>!Hg;;PgEmTAT|7?$PoH@k!hCTIsW!vD5}{ga1q9B4kQs4wyy)H zyd$J>T$C|Htv*Vf?bBUfJH%nC*uC^q*kB0s%@1?mZ}YkFePuREeuE}6d6Q+wbz@?G zT8R9_lBWFwlD6{)4`zZ6`+1L_-PZ>%MBl!5774B`-$=hxn8FEfZ$~X52hR8r-+y1xb068=;ce7~21&?9&%K_8Z6^;IfYRcRF{3(1V zeDK{lVHgtw3v|H6Ga670`+WQZJ3cigHHYyrx~MO_+RA=DE8DR5`UZCQtC|;`BTi+mnHuRA=)u^ zB(a{~T>i|9j%)0f>x+`>j$i5BHO#zdqwRTHOziQ1WbC+G^u3;k7g0B~?DKlS1f6C= zbEWxPa@P)5=;Er6HptIG47<4!|8M=LY!aEwV<0zTET2E@_1R-$A2K~Vv) zBt%m|9@E$qzdvEoMLp(`#B?Y*@%o_b>I|?+e;)el^$=cMCfr*eO?X<-y^+BAtdXX5 zAeC9ync?w#p@BJ0qm?lN40!mDD-&O2Z0q#2OOvfDXYElwS!sdBbmHM3EcDRTwk5Go>`^a?}VrQaP zmt&T8mgv7SG-|mk@`1<0rpGicPu=1O-^=5T;oeg}53{hvm!X9lkF1aoz~DB-Po}nt z+&{!GXm!}$g5VpL(=}U!D){%GUc-bdc8i=QS8@-Knw<|Mi5KlHLU;AyF(4ku=FMT~ z5C^%$+c2m_@AL;(C5BvjoSGZTD+C-T&=lPz#)Q>~3j3f%y@6xAD~3Q~-LwDd{+|uI zwgBC-q6A9i)?(cH6 zr(`ASu}ELkY~&(&1C$bbl({Ve4$1rilPRaYJY&u42J17XhLOr&K602|S5cXDmg`~Su*PdA%gBHqg`flDL6d5-Eo%S2H77MQ|36k8vuKw`s_1oH$V#;JRB|4tXbHsH3p=sc50lQJM7kH@ zH`;wcV7y-)J~4k5Ic+ZnW- znZcgye?k!B@v=w{*3rA|M|JbTpo+!}7NQz1FXiR^zbAj*s%YMe;#y`>V@E=ZysUR@ zWPP00re?^o`{)eh#hrn64iEZfoCQ=-kTG%Gd_lG3esk)={E>eei@d^g$k%#x1jO7wA-~L-5%n>>NQV-EOF7XfH0%vNVPze4j&LGohA4zy0!%rbB zV|#)Ot9?>ovi*YcnPd<@TWYNkz8Y4&r1`}XGZFMN5J;c%Uh@iX^GO7TCfUL;T#=%{ zW`j%tQerym-X|dKa zxruwVwvgf0{I_SK9+XjQ;2H$5M7kd)lSC$1;uHRN?}f~ zyI_Y7e5GSg2;r#oggl=!1u(m$$%#{yrQ;|eVWteqN~j9Ujdw0o%*zF(Wh#@YB0j>V zoX0TFK4NwMP~;Pi_Ri);KzZ)Dh=_a4OH+#kfLEVb$UY2Kvk%Sab3}$I%Z8=B8@Ng` zwU&q%P&)cZMU@5%r53#0{xjX>kV^&M>SuBj<;~3@T3AlI=V75jACw~hm$&7zovARy zv>eePxgP`0S(HZ)##L4v6&G)`SW%%qK}j>%uy9v?Y>)Js{rzTh=Q1>5-ue~m#gih} zP8`fBH?#Fpe5y1_{st;arF+6u3$Q=TdCT;LzEAmx%ZjTPRu}`Z@*9P3Xr9gF#7jMK z3?eC!?Ce z<6rpjeH)Yr!ie3^adwW{sxD2rD!b}NiHY%Un8V9y^V5iq@ptG?A|Q*DMZm%*Q`qrH z(D(9KAhx^6zi2HIOvjHB0$i&|T>%<9(Kj9qssn28CG2Us(Y{f$Am^~ORd`lofM5C9 zBWcL)EfM_>{H~5AGp}-Lkw6r>0zY^WY43vu`kdMXWEbux@sV`FPr zt|O<^<%)fgd&ZsGs^=Wx@DFrGkQti<*!63Lxs@e*QNqB6dg{|vXhUYF#GFph;K_~Y zz?MryiYys9j7N(=SRA-OCUQzaeXCX~4$nnz*sf(1s?cq}{{@`OGX=&2n!iBs~W$Ue%g#_{^exQU~LRen=fK-3IE;1(J zKxUNp8?|!$IHlWQmG4Yid)VTr?W=e_X^*#c?N>;9?T=^;_&=g`yZuL~09|{47S%RM zOaRn{Q7r=_bUuR;nIA`5o%r9W5_oa972Ys&Z`11)B}aXN?dsgSopN%Zi6mQb!yIQu ze8P6wJ~*9!zV}exAZ1puQZKc@y zZ(ma$^yWI<3)TnB=PK>g%6V5;{vkb%2lU7H?~pIV>TVN?-dHP0799zj5P|jt4G4+H}{yYZx~fL zudFW6nSj!!khszr*rQ16;aFvyjklAK`uuqR%nYlCIt6Z6`Swkrl?QqJ zwZjg+d2sSWW#ge)Nt9W#p0UL@nQ0Aay?HiKzu_2sWA$^iu}B> zNw<@DJZ-3r*wR*@u(Qz=rH3TQa1ALQcRX6F#O9ZTB!0BAwzY$op#3t|a#<+8VAQ2Q zZsEux8z0Zzs+%t&!ku}#J-o+zRrt<(L5MyZ7Gd6gO-M+Bo%dk$@u*{#h>_v8nAsWL_Vkz8h7 zoYOGljd_RBU)8nye=T4E7wL^*SJ{a{WN?ifuN13(VJaNZ7@VrSUk)5*)Jy_wp+C|l z$BQ`#86g}twm8KS^8&7pLKm2WaHKsYESAUfjxM4oFSm7b;O8lAhUSeKxIKZu-pfKY zX$moJqbO+3udj~^bi=4!)WZkZOh<}(A}Z9?b(X6j6kjtDDD%de`pY4`qyiZeI z-x@$&UUZwZ96Kfd=-74Ah|D(m>%nC!i9uj2^c?v1aFHd6|1L=)cX5N?(uVLUvC%!5 zrTMN0nt^0dg2DqAv<>eW=$Sg${-y?qG}r64kO0pBGGhF9UP$tcuOif&#i6nq(S^Y{ z#%O~1aT5FM9;hKJfEITu3^*B$ZplBmq}J_i7k=0%76wR21^DGYJj?bg;yTv$B+~OK zoHYONtRr2?rhi=Npb8ESHT|}}u%dXG9FXi$aCQe`ik0Gd^}7dU$e*KGI2Qo_|EZM1 z16tf3(*m`|2n&-_?yp?X`#UA8kF%0|G=DhCH;hWwB^J#=@?Cm^#8617?Kvsc9|8n1 z1`vAXLD$c<9p{0PQgO_0vVJlY16B_E90d@}+jr7o3qFZi?~4{+?)e#3S-tSr!e1q0}quwR6K5Fuk|%g2iboXay-z)B?XZO$RR?0u1gcPaYZ*h)5ZMWkv{3n5r{uv%#|e zAjQFhZK;Q7)grV!|9{<5$xZ6ru~v{OuJHgnM$Rt(fOwKVCW?Yc?eRK@ zx*yzbeyx}Jzk%y|Vg8mVP{WbcQjY=C*hp`*>La_>x)FGyb|UK9TaB&eh?8f;0O$&s2GnK3L!~?DLnDRH}*r9WD#q z8Qn7UuokF6E#yhb(6n+tNoyIl%wq6p%y?VEBed2gxAZ*o{5N)OHQhqC*Q7dP>mnVx zpV#5hL__)4YF)eeSz+4=rg=@es3pk(syXVriQSIA9HM+&QcKdTCnV8n&e(-rKupEO zUs`)rS8J3-+5ip=?;U~JU$o5Z91B06Z=d3Lz$zFH&5b_=qJ{L)BY8WT;3{AaNG&Wr66E-%G&n#j^W&(+nPPuzTZ3m+@_-QyChrkz5kTd?>--o;S zI3NWSIaw>hao$cTA3*+SKs|B|!Kfb)Oo$ZqN-5p+GSEF%J6;%rZ?17%w#)56{f-R2 zpRSOnxaaUbc*N^#?BA~A)@bCTN!K+D zK$cMafT9Brx($|eBJ11Vup*kYz}Mvwcvj@opOZKq*ua!rOw09d5Gt;N1jfM{Z2qq3 zPqA{72YE=!pq|CL)&@3s3Y(tQrfpf*s8t^$t5;OyKhL&V{#N%9do?*Q09^k%u zZk21PG3XuPFBNV+rs1+4cMSa4s?^HTvtpnz?YxQAWWVCz=sT^u3@}Kwuj_!UP}-&x ze?_f|EBV8E+4pa_1|iJ^Y0NFfE7u2n-fT$cYny36C40k68z^o8^gV6%bzj!_Uw`Mp z`Tz&*Jbx?cW!*Ik+Bq!`qRPATzj5a+>Ad6#0SWPuljG&oQM}v6CZz!hy};kT;X1m9 z$f|L6hpbAeL+i-B-Sh^KJh?b0Egn-i*t#*w5HtpHt&d|}+ zHb|@M%f>$s-Y~}mi#(N=BpA-xa#z)i{}XGfNL{t^8N_>76$2vvHr^O*ZF$GokR~r> zbLPV#7N?8YzfD$dz0L>yUf^{NP4`Rcl_)E!@|5^ACmkPa6XM$P#y-j3B;&$;?txaauTBd%L}SQzFp zJ^Vu_@Xrn9nRqEz|0?7D7j&`TD3}dLHWdGC+{OdHteJ4Vjb--!ZLzNO$U$j*Y;IgK zIBhSh$OCX*-tM(56vQ&u)>0c#q$#JMZH=`OG|wcs{o1WXx>N>m60u(P16^GGS80Ua z%qV}C8)ziF9GTK&VWom?5V4EfP|Kx7C(}`>_^9hp4sYc2|M2w=Fp|A-w{E+qZQDI< z+qP}@wC!ozwr$(CZQHhP&p+oo=Oj1xCY7D4Hc5Q8I8p^~fQuf%) z*XLKofbMU~Wz><{Y&Irqu6@pqilkZLEN(Rtcdcx{3?$t>V<_2J%d5Ss-Sv&7DtR^E%2I4(z zd`Sq9c|tJD>7g8ExvHjF4eEqfww!Eku@y=2Pi$|~wNc@OD1yv1@3c6}^e^9Ws=^Ao zaN(3SFw^S`!jn-C9CwDbbw?DbdRnpR;7jw3qozz&y)ZEZ&&-}&vHxys;FVdjEkr(R zVd3*_zJu;tRi6Dw!??JdrM2a8`262E;lIfy>97j_Hv!|G>Jzb-p>DH4IpeNor~(Dz zvzqXG;XnQbHVMJRXXK?MN5#FZJ6-gh)u))gWoI3)T+vT(P(Vk07ms(0az`FpE3@cS znD(~3RaNm^*&SE9$(P2|?oGLtb{9gz$%tQ2%6Pl;dEtj)kr_04!d5^*0I~m{5GYJe zd_%`BDZBshJUd>4j)NPSBF@rxGjWX>sz+_5H4zl}lCaASS-)2l)7ySaR4kSQa0l*v22MAa8- zPVh2Hvs~OG1jqdMKx<%*!3hop_dhXE@pmgKOiKfV69PT>+10hudL6(P_iOJ;5PasAi}?6rJy1b za&;^-nFO|YyWZsVLs0|Bq&2rh;Zxas;2)Mk-lXvVNPPk)gE5JLT?-d-xoY<1&2Uw( z?uDv3wiVo5<*rmJ)ma7tlg@t#r;Zk&B%?2}=ww^}Zz4q$oO6Xz1;bDWK4o0ZaY5+Y zPf=h(n!F9&|6Ar`aVhUKcXtsHi={D;WDKaPPRxa5{zqQ!6YUbQllm9KB?A3~?To9Z z>LkVr77b`@<=3Mn5-TE>nCkDqNBGoLC@`uUfzqgvJN(RHWHsXaa2o*Dc3E;Ve~Ni_ zONo_SgH8q26+oPM5KxbcT@HPo(%bSD~tOxd@sC z@0fJ8v;au;=X#a>2m&r1T=L>aboqbBOusuBNlFla5z4m;xO2A;0|icz7UFePCX4N2 zv<}Sksl+`@@Jd+>LQWdB3#`7!yd}IxFwS6PW{imNa|okLHR%S#f5Fmgg+b_5=ia#4QVJI z8-~}0FPu0CIockd>E^QPvLxok&nX`@aD}z6px3V(=IlF>p(OOpDy5xAp6do?Bky)8 zo}uKmJ_83OO@@%>KOL>`9FaXzRxkOu8!t!^=9K!^+2w!h8e50EB3^Z{SAYzgM#n06 zzBId}H=jhc44N#``Tw^AN zBM+gF9#i?gR2c-C>y)T2Tr*p(PE!xz)uO~pDGI1E*dqiv%x$PvfF{>$tZ0JJaQO@l z!o*W$1RyX|r|OTI0I);lrP$ZB2QPliJaKhIDVGsiF?*#@?8cScaQWV1R2YNYaS_yjx*VasR}|MVQ;5o-GUxIHk=C{<|fKL;7wP$ zFHrj_T!KlRHn$2amal{(8;SoY zSfOylMWh>(xC|&5))W)4tc! zUSOP9>(XyZqqS55Ueep287tAWOsuKbYtTN97<+2dK;Owyp!#*+oDKNp~1nJ! zDEC4_tc&iLb*F(^ti1gHHgr2Ym31%_lbkhfvuKuWbTVuLb&$mFHzP^U5s48Jj;4%3 znXP-&%-KJwXhnPmfmCA7mx*h*L9G&VROJA|PdlRd=o?)@F;i3(_iUsmj zawnYjO1q;1Yn(;vN|?p{YCCuSjf%qfP0kjLXo$~SZ!sppEgk=R{lITn1+R~aqx}vp z3ih*@AG=>sMx>YPdE4ZsOmQ2%Nl~Tl3Vlc$mbKUdpyN3(3$6=9e!_&b%4Uh8&0A&d zrtFbDgC-H3AYG^o0t0)48SqI~!%2bKf4*L&()ynYB-*88B3#+BiTYGrZ)@LMj56Yu zQu7?ND8kt!@4*D1u{Ry9%728;BQMiEBksZgg?M%L$`aY03!;~X;HN=-VcBk%Lc$E4 zLd)DTk%2j(umLi>s^o8{v#95vzG!hvs<$1*+FJ$%Kzk$}Nc9eQlQm$eVwF`iUp@(g z>e~DL14c+c@&hL9w7b^jwN8j7W#O^V(S7oN7UD>x)ScI;MbBAAmiG@-`iB4(V0*8G zT5wJ?y2z>8Fud_@>$_ZV0yI8$+HDi_a|hi9`TMTXrf%CK53G6B&BQ;~=5GR(r6CA{ zyd)5QJf^LtT#F23)QP;?t_VNv_abOKZ%|$Y(GrA=PoW7dLlsJUzl9$C83h^pYU_ybGhp5{-z3U+1*D>gaV3)>G!gKg)y zhrPkZFc3>5-AEcb6%=1C@(}D{UZV=*j8d`IjEvxNdBF`en8q&0%6WcxP8{K%Z?Y^( z`&sd_Q(>Q+YfY)V?r|&w$|4kpE+0G2KbuE}U5D@dD++T(=Q%GOtOj~S%^x}K7TquM zo_f1L>{Io$Rkstmigj#rk8#N-Y(dRGkcW=}bCXnqPz$*#IKSy9E4zIA-s6EFR2!J5 z!}3bC$WW!t`~t3qqi%$=L*!b zSEZRpAATYAvm}m+T#+9rpac!Yp9+2< zT|6vcK6ksRY6yuO=7337I_jh^~g z_U!YENi0(tU{vox>&TERd;!qx4RDjoXLy?yr3={@*yXSq!t(IZEd{Rl4Y=&+@UaO{ zn(F8nqtRjP@5$5Y2mD(|zbTWBeI8Y?ey^dcSoE&yw2`(3`PjHGzF#Cf5+Mg@`;s%j zZ$9W-yY!urtFgVhDmK~q6?s02*SdB@O+gIgX;T~6X`nA7_tJ#~#QhZsS_%8ebLc#r z`8xt?;qwmC%qFWOkv*@<$uElZ)XIU&g?@ZFe^(p*62nNxpHV5&L0ShX(0ISjCTNYC zamw?5O-k$AnOb-_i25T@EM39SkjA#>YkZN)lC%vRwX0w1$IP)BYJnZ3^7cufF{=ek zdJmioVx`(-%%^@PmTWLf-?sAQb#iBAs>=TjCf}E2%=D0B9EGEqkzh-dufQa2Kaub~ z@52PrH-MPW$V$ev1>t23X>*F7cU0aHMwzol%8Y3rmurk^j{AVg%49F(2c1?_^!eg8 zc;^wMm+n6Y78NnpT=4`$hO`jRBqx#hpBF!d^ph1sT1x@(ZxW}>*aASScjbS8tEHOr z2;!%vo}CC{&$e}L0&#HR@Bre>Hq@o?5@m_xmOa+if_z&nYN~^z@RxG>LpudaNm9`_RiG*EcU$9bxil$ zGAoK9rQhpRVf`GgSG%#Vpy3z@DrHyStAro{1zF`$1bSEDa}BJcQ7PQY{hx|KiNjJ@ zDs-B}(5w#fKufk+_j;m{%~=FkTCe%Ht;M%PSi+&(IYD0V(P2(;8io4!*ha}4 z(ryYG6uiA2e6E#g44Mx6jGv}VgIeLqiL2Ykyj|iDB#=(4zvabZj!%jGh;X_D$=dL~ zJw3km68N;f9!w8YCaDs z2Vf+OG*BmH8WfQ^+uH86KEG~srRYHV70cW8tI3Uvwh8$q@*duNJ%niS;q;af?z00y zGo_WrjZaC~BuHs=(t9-4c*zGqgsY+XL9=mPN)*DXJ>CC-ryoWLh)y2XY)6y2BMD}c_dK86+aL?=)Mg-pApC~qo zp<7_p#g&T-#pCaTWxwi~4rmLqzo(9Akv9iBlZFiYB%U#pA{?m9qJ>}*T$GrtN=Y!C z=rIMs8kUK7I6BAxscFMvV=;9Kh>4oJ>8#@c;zvmU3ipg^6kHgzy3gW!cXS~5;vuSW zjcuLULGVR~DH((J6)__*4Z ztq@})^$7g5u$0q~2>QM-jY@THi<40*a&wFi_K{D~=m1v(tR_*=9Cic%n5;k0|NoBv zm2sCAU_9bQ6R=cJcJ@Lp{Njl^=*lH+SQGi=UU!(Ioeo5Ymet1;e|ganJ#nFCl(haC zr!-)9$Cp@f%IEaKL$efqtpalx)AAxYWE%C73sqZK*fXfk5QiF_G4>o(M_5-U{JFNQhMOhB5ih!HQ z>!g|LBR$Hc`F6~x42C8(K&%4bX0d(Hh^_=iYKZy!!_Xz*BRcpR{PoZ@LK{Q%Y~BU#Oa8NGmD@h)Ao%+arQ0ogE#0iv>SdmcSJ0Lnam zgI9~c+E*Na>2KtG^X7N+kjj3Agx$nZ$PN;Ka0HAbCdu z7*uj?{E`4b<3-|=IkW$xfdZS&F!wI<)G!#n>_Ru|{}(6l!1DX;bBP+=-Rd%3S!}G% zhz%wM2@6bx1W1&SQ_Y0r$`oRd*e%LZE^wm8_)3&d~rCH1X5 zzdn*;)%Maq27L8OFFc%obkXN2hN+KGwTX{GT&jXo-2iBKx933qjHmLUvsj?p{HVD; zc%dCX#WPxhv464|o3&wojYMVv0?l=2y=ujg-YJfP_V0KtbiHdn9wbVvgO(x2y=tYM zw`j(0ybPIq-b^ZG1I$3}$4n~Wr$(K@#7>&Sj0rb~X}TbmblM9xdpl&mzKVKxn#QFt z(ck_4d-s+&O=y8tI1`v8XbLS_=Wyi9_qd)#U|%Ksu9C#SYBFeiLFs>M$Tt@FCR!I_ zs5sR{voY~ui@;$qxNDG~65Z#{Yx&1j4jAvCp`GB8);DE=>654jyz&bd+>8-z#XinHYojT$ ziOT!vdL48k0Poa0w-zt6NsW3jmKtdwBBtZ}CsIARvKYIbiGI}DmW7P2Rw+)fj_j1~ zH54#~-qixd%ESxFfrXmP543Di480$}#WdxvCjV6?Vj3yoKda6b?JwS9_C`C6U0>=d zG+!f@G6*34#=^6`zV>opWog9+xy(EE{iXi(O#eyiCbg6O@NKkA_;GgsK~zp=lqRSB zsNJ=^(C4@A724f>|6TvwxNf&DmRIf9zv)ou`l$a(#CSVtR5>D(7iwrhy~^%_lg*

LJ#IBYm}z{SNRR@=lBf3QsKN#|LQCtl_*odZlLh7a1~8Kp9XuhmJk<6=N}= zkIE%fZGWdq0?iqA3)@B2_R)4+kXSN#z+$2oT90NYpu&>NsMRu za{DPt9Ht+&o*x=U7QG}WR}A<8rx@0(zE&Qt&0L{huXjLy<}n^~$qAt_=uu0&wAbr# zlOdFsRl!?Y63WVaE%hC}>^H@X~^zKZJ9uPeE69rK-GkLLAnx zxEA1a`lY`m?J|TMw(FXXtLzb|u32NM+V33A}}nEkb`CNeV2& z1o6oCGcu6X$FrbGQ%wqM=vmtq-7MA~eKfjP|8ol(wmC^s5NsKRreEv|7M6&Uo6XYi z+}}SRKS@8~H`Y8xpFT4U0xWPTOM*ch18Y^=s6JC+y#M|by&TCQU7W#~zK{Eu{z*qX z%Bvb%L_1Mc-*%rqbTw3P?zpSiqkae736B$&*0pN0K0YRZzs(zqJ}7J5`i{L|J4`?5 zcnuiXBX3M>rZre|uiHlyiuN$qTpdoAUS>NOIx?|*zXaNGjWN3(Kbw7mL-te!o9!-p z#C%)W=L#5Y4T0o%E~iiLc&WQ{%dyCk&)~q-ajUZPo~Z?@-N~?TdB$>>m98foTn6oj z*)MtI;*n)#WxAQFeHUU$Ev;9l82+ZHQs-x6xW~q`W1WuR*zjXo(rSFC7XW{6@-6_( zXlE!puSbkejv8DrdwZC$3LTh=O9ziqJ^1-$y~!`;71{tyFse|@Aw3q@JryfvW!g_S zHm;#!n0#>727TtMBpLiMTcJ?wUn)l1o|+)rnOO)TA2x8Ocn`p%;puE2<2E`!k&BCW zJI73}(Ejp0*6a3S?*~wMXO%Q$iP0$*J-LfYgp-39XYN0*0Bk2{4A5mfId?UOoN^>p z`XTmO{rJcLB2I{IvVuQA#my8)A9HQsjO*D$=7wCrb>JR=C+vl1{4Hmd2@Bh6yizXc zooDmE6~*00{jgo4Yj!(A4LhRJgnVDc;o*#ByPuvIM;8(mXSXa8Ir{}gvvO$B$+D)q zfAKv5JA{*H`YJ;DdJ_O|7>X-^&CxMf0j8&qkvRNSXCKw1t3YG{f-LCskuwYJ=uF1v z=EBGsbrmHIDvCA_#j!f*FeK9}b1|Qd(}r@hEw5V0e!K{(vkQ37SD-!G_&@~&sc%YI zbAc#@y7>X-XWOsELu`gi5E`Ops78!3qCvZY>Jtzn<^iC4;W zPhy5yQ7%}q{S+&%9knzc6?)59`3Ql_q;Tv|r8$tKU&-|S{4oddX4t*Zv}pTdCy{v0 zX`zJ9MAa(Ff-D4*G?$`7>BpwZbeK_HNy?9s`OWSbt8S{ zC(kI*o`R-a!S_luD6sFbiWVC9hnvCFs-S{oWeABdktcrB{An|jWKhMmc#~wpOh;ExHHfny zbW;I<4>S6Ax97Am$aWcCX;krW;%{a`1fVsD{Gc^uyVX&EEGa;{j!BU94pPHFJ=*Bs z%E*Fx4`E1YGb^qNk@wID~Gh)-e~#;(ZiawY3Un z1$x1o9OjTM6#Pp85CJxm3|_i}X()z8?Hb@1l|X@7X*$dy}>DUSkIe zojSxEK)I%O{sbzYC$oXDAYQB}pa`~`t)NrZpSQutcM2%cg$IDEo}7EXs%u)CDpicf z=GJ^2{g!PoxVNiIgMU8&!>S%$aqO&x_HNExPHT(eRVp#)?9H4w*oTAuh_j~q@1m|% z8iiwQjiC2qdHewmW_A=agf;Dv%P8kiaU@wMFLmG!4zStEag0=e)E@Q)cIADM=fa1o zHcS&dZpBP2D@VlM3zE_ ziB0@gGb&NZgH)5|a0M>0UcZnijt+;#^zUEUJ1_`)Hj7aC++iPvkI|}-!QWZKb7G6V z#bo!j1R_Qm!cS*lKZPC9L1uS{^ZP|GYRhHwdNP4zBv*3doKW6FF*?LyR@sk5Y&gMD zt(xN%=hlX>9cilq?(aMqciE$W5?QZeanD_P==kf$2X}Z*pNC^SJ#kn6EEI*ItA)Dg zqwH^W9W#rJyXf^bU%Odt-(xO@w#_21bXhM3BvL8)*pWi(y|*cYt}j>C?^qkFIX@8z{FYvVGX!1kOw%b)K+WBmna%3H1+(w#Moav>>&Ry7V}i0B^4 zD6>2$@35=g71Z7J441}xr9dU`aUQk{wzIwWBR^g?I}wUzZKagY5yiY!Mo$psP(K+q z?0RcyeYa#kl1ICtC|DNj-|Sjx@~pLbH&}lfY_iK%Tsx5d_u-ec)e~L3x|r#bY|-w( z^!*8@41oTcD!~$~jPI)f$P1xlxMNz>A48iPz4{vl3BOqGR!VvbQ7l_TuQ$J;@%ptW z-i1lSLzIE7s|}&s9}va<%^WlI@Ln0@ zY$$INzxbAzK~-VCy}^U8fuwJI)?WhkXCcHG9Tt98S%4JJ9=bqR4+s zO6wRJj$sYVDs!Lbos9dwxdeA1J#hB1!qwjU_TAc^ z4_kmHnXa{9{%vy8~hCX>E41)^4MhP33V(EKyt zm_pRa2U9%tj*OhtX5wM&H#y6JG7PF}Mp|5kZco(kZ( z#c}6jM}`0Gru0j$WwpDG7L}l@@>hdbsYg4$yZ%pkLaOf5uNB(h!0cM?UUv=4W&a<7 z+iUqzR1{MIa3eY-Cgl%MU@xi*%mWU%%?!ZQ#_wr&H|MK!<%Z+dj8rETAj3Xo`oVAv|JFUE4!iY3Gc~Rbe^#FR1jB5stJZR{=r#gHYS`2YB*A;V4gsib*@A-rCAJPfM!Nu zTZBs*2l#&PJ%fk^x;c2QvermVd`tb1aeN?{jJKl2cw=l%1PHUW@g0F2c|;^tsokuE z5tL`MH~I$EKVq0pV*Zp-yQ&+3!AHypA$eZXh&}Bu_tS1 z7?4{_;yUnQ>A}gl#P43eDLe{jXb(PUf-iD*a6WW3gW5^D0o$&-FFN#sAJk9qjE{&- zb7y;GZMV1qsHh%ajoSKw|{50~~r3&P2&F27;&0)sLtd$po8hZtagpk-_Vt+IQ1&(XZYI zb4!4+1g>e|KYYP*M(-&9!&h*HZICOIj9=-F)P4oZRYZDZ=1D$#H0CH?y8|pR z1ddef(YI0>2BDdxLn~GkzUp=;J!3m=q#ZA0c_wdNpn?%9F6)zWD4mETNlx29v@IKb zuuD#pqI51Lzl@MsT>UcAoZVt)n4mVG+yJ-aMa7DSQK{M&&GV-S>PJJ^_frxrqvs63 zbBDbpAzYZz6^f^fx(FcY?st|r;OnPE=d#bTJzz!an}~7RK_p#FA{+y&Mp-?+X&7A& zrK6WKsvm7N%hs(YOC~*lwA1A3Pl}!gic69s!XoWboD*|%`xu9u)27((g?FQc$hC_3 z!=KJhVb?m^7aGZ>)=XzbazTlGHH(no@3V4(ilJyGYj7FoQ0A2()$GuR6n8 zi|Yt>qj0K%*}iN%$l{z`o zN}CjdgpiBN?rysRo)xJ~M+B35a$mK)UFzWtAT%+Gx#r?lYZ0aK=qHxWuIioNrt$rW_|9ZfN z&O>~wRDN~rYqpl!kl(yqHXhxiKQ32lkaGFl=B>l@+=M4Fkd+im!cUcNa?$Jm_e_-3Zy*q>LXa8yg;U`O)1;LU2-172Bw?m7pt!%!o3XC23yE3MOm5E4q9t6CQ1HzMc)LUu&>1`>8@xIT#kj7i4f>tn`Rv}%p^iK=x`H;oOPE1x(EV$0 z&v(5z+3xL~M=N#vSXDvUa&dV|QzFwIKotC$p4l5k5J^CY`C>Uy&lix$gc=dMxX3Rh z<37FP*YU6$t~OcNr{Zi)cSr#}PmA|M@#p(PH_;#!2mx1jMz_R5`^MRUaeMWW^&+lv zFdyWW)oua0RWP0I_4c=hbczv`IQN?0D|~Ia&z2@iThReEe1df9x5)rZ$=3aLUy`T% z)G)mkoy>_X4}~&aioXsD!5K}pICuU#oD!5I2|@7v9HoRb3yIg?w1b-{Coi>0RT`_5 zPl78PYmXbBI?Rvek-lj87x7`ILlc_t`!bKV(JL{mM>jTY6Qu|x*Q*N%Wxfl5cSlbF zomK5IVEJ0gSQq&uHkdB`$+^bT1(ONrA;Vcoz}02{wAiuX@ir&2yt~kUWoBwP1|wqv zc;}}-w$Z7dgt!*`lYKScE?49#w@zc3;$-d0kb4+J>H2>O@hwyL2ZwB7mWRBpUWir8 zE-gM0g1_x&wF*rJ^bn?AD#V^FZKA?N#EQ=*!nGsW*tkiVctXbe;PZ}NCxmzhyxXjA zPj5)tiUr~5mC-YiO>?ceQ-f5*ewQP~F(6Ln_-G+720>pIc#Q z5xc?U#`6azNShTH&enO#sdsm^c@Ot%Ic4OW3D#GE51Kxwr0As615#gAWpb=6BFLbL zBmX%6ojx#5$&+;0ak?en+V zcL2P0$X}tk8wIyL$VH|^AUW5O?v@|ow5XAq!s|%w>%MU;s<+-lS3cMoW)JJc>T#xi z@d*m6M#GNK61a-olM%xiwn@g%JrD^r8^`u~m9`^hN28kL8_9~qqesB*(W1_*XEc_a zT;2k*hvuJx>xp*xeqq_D$vYmZwfif}@Mcaaw${+;>MP&2KAyU317Z9` z<|BaZF%-7;I%oBP#%+spJDf+0f9%=vN7JJYwO!u1{!u4+54>;k&_G$U=MPeYMhU<) z3ivm1VLn)Eyt;{r$hk(h5Jt3NMdK^eXI|BFDQor>H^#rd^PWIZawsB&Z)*K0$@?AI zQoN9cy(pa0r+V2fRqMUsg5T>y|0qbJ8?VlK^ z7a;R0+BM3Z1E1Lr4@kz z7wJw-gYCw=S->~hhOKEyoY_PxY4w*5=xTm5qm}Svnn=^qX$~zC5e9&rEi423EGmdyY*uvEJM?B#%KhuB1Eu^VdEVTAbY3?w{tdD_O_v=0-uoDK~o1 z>r+F-DUliSnw;A6i_4)F<*$ivov&9SSK)#RD>kcyy|frj{;67wpdg5UM&OapoN7D> zJ(1OScPcD>T>$v0b^xHToE}F*dtiqv55_353>= zIb0(-XMMWj*s`V~s14IK73?U3*;dX$oLVf&{1Bp`H7vh_?RR(A=$^I}Q0*6IG|2N? zenV<{Slk-$%*ZC8B)nMZa*J#8{a0o~tb(DM6RNuZ)lq_V2~>9qph2*~(zCjsXQBdC z&skq$8hs?Yc_*G4VIzd3A9t&toCELIf$8o+>yeDCI-1)es^60OR^fV=);r!fT{}kG zpB|fOHfR;N#o13P+EC#}|54p(-Oi0!QjB|^$-anta#^P#`{YZ7rT~ZM%;%lCUB#SH zW+RXAHpcP4(HS2vM-QtZjFtF9&U5O(-0@%6a}`j}IEwwl8Sn0|kFqz)shE|xM1IDO zhAiQ@DrZ25_Dfjn1!80Zc4-+I*{Q@{%;QHJ=_R2ipwxF(dkj|2%KVCB(wizkddVh= zMkUBcy-d1HwCQ|75+gFdsVYQBrFWo`glbVp`u0V=v_yP=!!*rX?R!lLKoWrfZ@1YZ zVnE;|KNK{CN}HKlTR7o?^EYNlDw*A*eKnd{l`d}8qOyrx8-oT`IcH3^rtg)KhCnX) znvo!S33m$4{1tJ3`1i_`73l^+Hm_XVJvDfB zm@egS#K-7pJ<>e!ju8^&tD&0GCigivl$mm0Id%n`3Po)nY8g0XH{m02&j25Qv-z)b zdNmXbWmFh#p$&L=Dy22fp;AF}I%PZ1^gL&vgdcP)l}+TlCN+#mQuk32PWoc42411R zx`NSK!|b}gvS8vg_ADj+`?vB=B3DH9?h1krYi6&evshFa;4zf4Zz_)Y%?`~LL_d7# z(?SgmG}iHEdWilDLeu8;zT+DKw9H)LmR*HkBjFnZ^%X#ssuEY0MZf-=p7gII0io;% zK2VE38=1zFTWn=_dwUDcwX=c7@pS7hxvM`Dif5-Wj|TC=0kn&SRH@#RsHT8 z1>Mj22!`5c*tx7H$`3ZWYjr9j~!EF{6D+7DA+;08%y;;JFO4-1!Oad^0^N-PYOzh zA4wT%DfMDY)8%)rfqx_Z0u56hX_)kOw!I<&>3*N&7Dc|@e6URm=HDn}WIDu7n;$n0 zJg;t()@fqP)JkVR`fZ=s*l{L&Z+b<>NBRZwI;y2w`(J@`g`pO1HeNVgdQcui4{!)v z;;!Q?sU1nK>2vmh*XLFko1)Z-dKW_gkY&XVSyubdoG&A~YZNl$s)~e1U9~094A(ld zYd^L-i)$P6v$6)n32LfaQQaSonybTlHua_9)TD~dQI@G+YRKIKAJh&qT_03InX!a5 zhM&|eH$t7L6pzN?-o61HY=NX#9OVn(b26JtkE!)Aq0Ls^2W}7CgF&~pwgX!Oq_pz}1u3Wtb zl2)bjw;0~(OyDNHk_alSO=qoEH<`|;+u;nKf0<^s)peXjI5S0Eql2ao9*xY%a#fcL z@>oEo0P|4$aaZosb}EpGpakgyFB?d5?)3MjizM9|RH^nz8{~l5a6A{M2Pb%18U!Y~ zhGJ+g0#X0Q=!7yU&sR;8JwpR#fokj)4Ug;(6^)cC`!qomazh}QH(&_3Rf)2ZdhB&& zc=q1r0?Bu4=?xK1Z>GYh`6Dg13u$2YyrO7{F^)dt>dN1-dh@r7+&YTDKXI4a1f#4s zH{YWMU6s1NKqDk5@`2&mf)%sVqU&2Upl-eGfT65u{SL}2_N_|FUvtToau~ggO+9-` zbI)ln4q{OK2qU=!;2E3TqK6uSm!Nu`MIWZ56-0?M|6ehQSG#}edn48)q)W{ZcaHpX zbx{6y_(rEW!GZOCr1RzH{jW{9enp6fNPLDB3@G>BU-L z;yn5`A=a1%G0E2ZF=_Afp?Dzhyxn#!RyBt1u|u$iNZc>hiF*R16E6Tyv>0vu2X|(J2d0;EA#cVrt zUwNHYnLRMn-K*{!9M3S@7!dau?we^!EymO7j)$%DMtoWyMW$86K(j#1>YFF2O$y+aZaEK)|u zuJ2M=fxWogD$of`=pFp(fwZ*@+?;R=O;-ABHB3<)B=3-^PhS_p$}Y#MZG@Ixx47hYerA*4+zF^W=@JQ9pksiKp9GkbakXmGS%zvf6Fozx0L)jx=Gk7%iXzAz_1e zJ!j=8U)UyobPXdGz+hh-O@OAmGlP9T%U{;1l2gC2=5~fvC+u`ht%U# z1Gx7A?BHl{89YgW(x+=;+@Z4yLq#xb#(AEhwo~%o3bGfI?HIMa-qu*;CI8`Ll+E0m zZx-1waH}7lX4_roK<*~6p7hY3P1WUCSu=HI`>34Nh=xmO_o#G$Dwd>-H zcxQom7#+t*Y(^sx+p<~CNeF$`sSrQ#7On>W-IeY4lsDj&Fep2$Yw!zp;HWsK%Mo$+ zD#805QJI|2j0>h-s{?MMG&nUbGi(h0kGuy=LHSF%gt38i=XKlw?9xzhfzs?9O7xy< zVnx`9&b=pOX6#loX7W;YGf{pu|9Wc_?DYRjH!0SV7aaqgF*1ZvB!9npd~vHM&xx<4 zP4ZvK9Na@#)qk4S&Aj+VM}03eH279mdy%i;YwMnDUL=veKH1?ZI;u8E5y&YKyJ-wc@3VvEzRUG`|(S9fw`6v%L9)VC6+zbJ;fAi}@~;1w3HONFg#g zC2oYJSc|#$R403KGZ$2XZ!&6li|E=}mD*y_CyahH5~FWU5jhBi7e`#bJc*QI^DI(? zMfF{J;8Ju1)JS(+S6$v9rJ@)526Qm_*)wr&1Ts6OPq}z8`IA{d_Tnd^Ly^JgXkn=1 zE(w&oE*|{q(##XI0FAux3@!O8>C?VZBSiAE&2|@YvM7wI11HR2Ixa7WkUe>7=tJV9 z#=1Hcf@;1?rB1Qx(ONouVwI2oxP8>=!xEgYQJ!2`3e3OBYAoh|xPAC?)9|0Z`3H;- z=))9b2Q5F`zM-dp59Ur{)$sx&e`F&BTLdc`Q37m?AFT-Sqp*Rtt-Q-?8t`|k$dJEYt8|pz7UZ!pL62dY+Gd;W_Z~EvvI6f;{6Jcr4)id=cCiC z=)&4uTwcHX(-}xa0{-urSj^H?+tZW1i6({0;)agWN2w+5wkmzy5x;vP^(;fl^+sc) zS&-8Z1u7CRTMSEX(L?@XeiPQ{ilqg_EjyF5C_9&N4A!>J1H+ z0=Wr&R;IiH?J7kZ{Xui zmmWxheVlycQAdJ{@QDt`{5sNs;uJS{V(U`c-i$+GGPUi${IYfpE^j$lO#|(j8Ypq> z`^{%I{eN32UCtUb1qDgLy+@Y!46>edsg`j%HnoX`%jd-JNgq-b$tXpgZ(w^Vy)n_P zNBO)#vlZ}C?)8PX@!ohFBBAP)V|KY;=nNn2!~8Q;2`mFOh#W%e8zex$@EL;axfUSUq!WX6IWbSs zm3a8KqEu1?W0zZc*GjAQ6(%o=nsRIExsOhRMXt5zM{R?J`ZU0A4$ayT;5U~q?WSI} z_6DN^suV+i`Va)GdzNTt9*L^)^?yR)qw1iN*S{}-TIO|zcRs6h5+9D*Wn6s#eUHQk zG-_Q>e=x7&caC+!Z9vXZrDmdrZ*k}FvbQT1NqgnM)!(BnZtC%qKLW#x*lOp~iC5a0&fbTTK>gg*`@@ zmC8hy?hckX>=CTS6lTgocCRtm2Xlwvk)8q3c3K}fq^bDCW`DXO?uFb*wqr18hV=-= zx|Nz^cR2vZwh1s5Aj=<*Z|{V+L()Ias~w&42rO2!rl0b>^h4KJR8!i$VcJ6@(gRsY zY>SoGGO>2-iBNa3wMRHTa_Z;rX=u!eWqM89c<|UpGjhZA8iwz(_>w8}sF+_Q*>$G8 zfu_C}VDtQ{;V4ELYYkB+XD$=4KeT_Zl3czpD(T*;;wUDuO?4k^+jZgoimufx-xpc( zqb9a(cf}}Gqg@$N+r@a6Nwu^vbTlsE;8+PSd{w>G`%7v$NeHJRqzb~cyLIlHlPRXo zF9gnOJW1Bq5has1b}DKpsZSL{bMYmmGz%70F*p0tft!P{^%vbbICvA8hQ8jefb_&I z0Al$#>ZKW)otpGYhDQt`+H0oilv8Vv{yLQdc*g8g<<#=0(9`;27-YLQCl#SV*Z$lpC!EUEuJZHL{)T}{Z)h!k_wdsmvIlzkdxpn0aW z)$w>0yLo?{3RoFln2%)NGGPql@z}j`S=XB`rdy@gS84qYZ2&!`!?4x&nEd!FaZa$< zb960^<`+?jb=V)X=J$JOQa<*PhgZ&|Y0B_@ARI>wD4ko`H86 z)A6micgeQNQP+i~;LiqL>rF???X`k*|8gbbX%o)TR?Ianj~Fwhh4UZazSE0}T>07K zx$|JQ&K2T`4&`W^_3l40SWRmiV{8_Uy7o9tXGMu{P#d(ubYC3gvr~I_zl096M8ARr za@-U3>R&|xSrzaXLQETh$&Wh@9muo?Tw%o^+4L?~}%^pm$svHt2f0dETNi6#RR&7$KQ*%|aQEowtYcqs%R7_Ho&iuOz z((=jPD9;gew<^xrw(H*bs$-%iS6gF!^-nB-aO~ZV7IKLj75W zxT76U?>!E?bmCDE1|*Hej^b)km~L2bMXoB@jLb`#Ru`VYt&L`OyTWL@Q*@SO+S>2V zg^H})4L%g@5ZLjM{f@N9G4UuP8631t-e;3SE^e_Y{I#^DaZahqE7Dg`a;9j6@ex+E zBwL{r0jvUF{Y$qRT`5HD@-!Mt&w&49P4$xgnzCFpJ-*kw#84R3N37ydnoDMx(+e!1wz7diEge4adFHK=v zPFpy)OfFD_ZRAfwc*b~Osmw@_bp4`MV1o|Z{&%_1mD~=%TxMY%i_<(UAE*}VUSsGS}mI)rN|e%UT962 zH6EI{Y$H+WN|Z&PPCjR;rNmeVA9f(FqTrrVm-Ly>EFX7G8U2!6xAHB&M=0)v-JF>Kf$ZjHN_8QmI7d?4 z#-lyUWx{08slDt6S17q1Mhhgt&{tTkR~|Ujq=+gl`2i4{e+!LqaqnY}{nwxB^yWNF z?@BHe{h;3-%zPMv6N)3y3oAaVeI=@bS3P1EYkjR_mhf1{wE}P1VZMJJf?PSXx$+L#AGP(QTHL^YtZ!la`HLo+qvSZItE9?!6hZcevt z6+m@m*IX&(Tr(6PKg!0LV+Jd*`VPL%F&403amAKnF=Aj8UKU~!VVDFKk2NS1IlNtK zrV12PElrgbPPxL<4EG3*i;4X-M4sw1knM&0X5!m0vY&>d)Xo{iVhU^+0`xv$`vSUV zlOL(%ftu9ZOosshsk190QF;>r>iYSv3T}1HNbA+MbRpHDvz9$OLa&igt|@;M=7B+46WYFr(d6~VG??!$0CStti;dUzE!}# z#Fl}pVvbXL?dok*X0Tj9ml7CO?d@-7U@g0Pgf_a^8XgpwRid{3* zGa->Bu@0{X;v?$X5D1c;PrqF?SO+0+9@Mm%*RKUy& z51;d8i~9EK@&>9#q+(-G<(E&~QhvUl-phaZBhU|iiSK;AUHJZFodtjG&cxOB_f9%b)&*~Ok$nf@(%^h;12@i4e4Lyc_U0oh|R5C z`g9Wm`0YkUhJp}p?<8DznWYd`Le0)RT*crMJwi>EmI`pY6r4rm<|W1I3y5ulU#1vm zBL$Hi(d(g4#u}x^JG8$;_5BZ!K8{AGgv+C{jNB{PoxXaW`3-Y?tOl@e_uCi!Ir%sd zKq?Nku9mDt;!Ei^ISyZ&fwL}efGz~8_%7BJHqQ@+;6>}6BW%e1_Ft_B9g=iqvck8> z?Vfg9okh->We;X=5Jjwm`$Y2V0VY%*Y1tkbwTD*wO~2-&s;hC5?zYX=kqJA= zpulc*T!^q&Qe6$cGzOwPqdlz|gEMk;oe%nn8<+en#25@$YZgg33|L~Ws3FP_yIX47 zl>zW1D8%hK&NPkKs18(c{T6i?^#K9HvbcI-6Z}VrsPZo^Hbg}E>syZ_I3<54#dVdB^e(sbYnZN?AtgHLxT?{xh$Cze-`mHt}V zPqe6&+|3>Wjjahxxy#pACLc|1o!ifrR}=^^P88-ul}V@^sf4Ps9!IMbOIo#w`g16s zDM(5=AR)k{nzyK?*u(FJwvJZ1A&$7ZgZ*Axs&5_7Kay#mQ`R05+I~l!UN$W@u0L4C z(!ZqT9UIMCkNjw88HE28!N?9MYcy$|f!mLcw&z;wnVn13LS81E#PgFbe!cAhm+xR% zeZThvZ`tymOlcI_SvRqFZ}4@y^4w49Z`Mc@Q9hmqWGhEU-`DJqj{afq?CkaT70^?j z7-xWL-a_Z}R%9-o%pN0ESnPDaNtDB7d6GySAu_xWGg3SHR8_h0j{o%kzUUomwUMfj z{p5bW^N?ze#C0M?Z{q%@Qs7mRi<#>bRAMue|$5-z~Rj|p4?=49?w8}_kk;*b? zM7+A96oC~c@6Ztf5njj8ov*b-dxHBynPxbPeG56vPLX2&gAUV9Eo*7-yj);6j-?*-{b=81xZnjpVJv?ng*J|A*b0KS#RkxbxHkLZ^*n`FG1};d zyDQj1_9EENi$d@q?DQ`kJHE=9;tcDk&~VB+Xf|7fVY)0l@gwZ`lr*0)Drg04jP4E3 zzT=1Ya`-;`{D6}^JKdRfLGJjTyQ|*xOBboyP(M(5B9pJsimxOXC0T8gC@i*mv3|zb zW*!P-(x+D|dGbJ^KCrf;RD4eoI%+!z=miqLQjM28$vz>DqdCeX#-CHDFy%Y9JszZI zD)sO5K`F6fJ9d_hQ^-p3f%+mw)uYIu=9CJum#6k~t5Qfn^1h!ac=9MNAggI{ps?mP zvafP~aU5&C+#?HK(=ZeSzyQZG-4qBjnmg5^QvdOLQ-wa=&S znH|k?W20m=sm|3#nv%&~anF$&EZ7Oe@5<>7x}KJN!$5q%f1;um9)f5B=3O6S1IY3w zl819B{^R4-ktHgrGOpQNxT(~r;`qB)n)odH2-w`UyGTs9*jcU2#dU^+(R!(s73vs< zxL;2wnXOs9<0G>>?UB_=S#_kzRt+5aX1w)@>?j2ip_?PvZLW|~)l@C0QDM&IzlQEX zp65B%t7Qp22tPe=u2g}Q2W(%?=54D{%SpJtWYyQH<>e+mu+xPwkp7I;P6={yW_yo= zhmTfHxT8spR_GL?njDdAM9ww=)C*8xB8h}84q4MYd7$7z= z{?;o2M?hOfhQU))3Pj-_$P~zXJPfbPE1*wje9Jyjm$qup&~EMzNKr!-6Dz|0IFyyc zI0=aY(b;He1FBPp%N2%jj|J%=x9qW?v~B;)$cDCXISyd~B&Z_>5T07bo|Lk+5rHf8 zbVETY44s-ud2Rv&2S`O|^5EuyBwwC`-t`Hvy!8%oaRY|2_+;zXw2z?G=_{b5Y&#ej zVKCIH=RDku2#dts26q--4u+I4IE(H7r+ z0NSa4LJBrG^|)24j@%V}3$gJEgOPuDa?ki~F0H6yh*|m+0i7LOo{FJ2#~Dr%h^|tm zhoh_KNXF=|3g{Qzitg50lVL%iRJ1CEhC_w=KY#T!t5|-2dzi#0oZ9AbdlAu~x7b8P ziP(dB@zI7c91Dun99Sz2^f$6n#7iG}We^FwnFMUv{g)qHuxO3dMXM7cO8To|6x|wO zMih|XZKd4FqOagG2pxgF){>qLsOrI;W&`rybUJUXl@~j<-)K$E1_s#)I}jAZSYO0x za4MB!&OaT`zfw1aI9fx1+XE`oN@sGSlY|WLh0IfVzJ&c$@$V%Wb3PC~)+Lyq)u@rr9iv#B9Qg>KZw8x3RTQFfQ1}YrZ;DHY1H=gKSptm$SLv|P zt;M2$C|Yr{U?v2aH|}&3xn?)Kx&G26A$Cf|CZ6_ZL|$m$yu@Db^zQIZU4mY!7)I?K zF93=jI+Tz>-pq$*w2s}A1=}81vaKSe2DAV1-N2myu>;i}#q9=xV5AEdxeKtriK#o~YtJ(!FG zG{XSn|8B_qm-B(FPhlQ-H3_jVYkT%8$?hk~y3(Y|wrv=h)Yq_+qfK;@>Id!Yx9cxt zpwiJ}!^D|S$hh8~BjiC>Nc>+syOsfBJFSc39ElZekaE zl%wvQ^8A`yhuHeH&ksyL3~vuNQ~}oFpRa$Oih?7J*K!FXbgN%dyW#3TuP8O1OuULp z;ZHq>4-VL@ei26qjSwFPYUmX|#;nlS$yCp@=TRbJVFas7nG@vVN6FI# zIdZ1AD+jE!*`D#b65yb47J3+kD!h7Q7_!Bo?0%U`x1g^!#Wn(6iV%haU!aiTbFRWj zB5c2fTht3c^CO5M{{v=MO%y37hmY=#cFAiT_2@4_3CyBCV%FHeCJ-l25QO>}v3x4( z2#B@V&$ZwiV1~+VevmrOf3X6}R$;zrQD{E7Vu5k>b@o}I{NcpTEzut;4|4_T%iM|ubl#wPhYO8QIFe(j- zhyYO)55>(eO#aSerJQ1k{$R^dHJE~j9ogd!7iI1Az`db{IS3dNcZ~T_Jk0Gp1@J+Bi5) zC~_q&aod=Zq>T+%hDJS)24edg;c{BFooz*vgQG^g0cY;cEfo7b1_%zRHlsR ziSmt%uoEL=`ria^Q=&L;Q^q$aoQolHKSmqn@kza&j36yu5tes(wHulgWsMSI6r~+4 z^8DtBIpi>_#qpI3!-32G4{!;TgCl%piSqiw`#g&iFe0Y zefgh~P{y$KQ<_f+@{1$G_e1sgW(n=s&gzb{zrl)liaC2GH5n-n)5MD6Yu8(vx2tH` ze@m}qCf5^MYFP77A++Ze5-yU`{8Uj20Pu-CM4`ul@?68$S)OGY8QtJn!k7cL(WA@s zwO$&A0aq021j{s(aS5jrd}?SoW2K@K$qEf*@S1TZ=f@x`j$13YOeMk`P~ zM7bgASj2>5QX|4XadLtlaEy3g6Ck|<=*E&m{}=oDrX#jB^d8Y|j^0}x^4SFZtg~GT zOz~bTIoIRQX#oKy9*M83sV*cwUPhPam(b{x#NF1k(qc)QC5&Q_CsKZeVb+snGN~O; zKAS~3Y^Y9la{6n%ul=%0*Yc(*cZ<)tnRu?ie5CCb=RKrj4qH0Gl1!Fwsw4@U1^n(`0tD;+{iqE$PK^(Vp?{2mrWeQ5 zj$;Ngb`?WUsR@e;EGQJcbf6jIu>J2-UmspGeVOg>p8n&3N7Q`V4cXW_PKnwf=T*T8 zlPx0r;*km28One6k45DywQkMPdLeO?t=Wi`Q?yL~-ov=S*mwTpO41i=VsmTNVq4e` zK|DEke|Wqt`j5T_hJWay@?WbuP5buD$@|H_NgiE1G*GOpIB<3XvsC#UoLbNg9@H8y z`%cKhcT@Wlz%)VhD84l7Bcl1)@kTH98pGx40>s)lZo73u+z?9k!aWCE>n6QcDyEs= zHKS~vB6Eds+UVz)S(g7Xu`_Y*O1*vUZw>$YNEEf5dPJ_Va}ma7CLSll3kqm}>t2h*|cCWr9A@l2yu@Ko4QOXcSoJchgOSYs6k*$aCl5%X4Ri?9|&zkV~$zI1}|*N9;p?#_Zz$vV;(fu)^aZ zpb7DM?dBS)R;B{ybGb(BSJ!HB5*At~ ziYJC?+t}O~_4PH!iIMhx`GVc6St8ktceGvOH7$o?BUB+Eisq7QXR@xnXQ~nY)7!TNVR` zgI0*WI*O_b>O;ceaJCm}Tse|pJ-Fa{RU&s)!2t2*7? zG!)gmXpCA=xtn^1hyvvH@-H9p8p0^HNzYkSL{tMJc-s5&fJB``un_BVS^x}xH_wTi zcIEES6Hbk#it`Avzmdf^GwGRxo%^*I1467oVH#3dQ2xJchm7!ZoSf}$?{8pa$0nkL zmId#ZUjv7#%xbXnUVo;d550PRzVIr>4lSV+)PC6b-*;pU3-KKtT;H$5 z)4L>be?E`b*E@f=W$>jqVSYsY=i=EkcAR2M?FmH94*mbq2dtfmb$iD-XyrBj#|>R; z>_2YkLOFKl3y9yYuZ?EfsHWQ$?#ouS)c*E=q!(*`%c!b`@=={*v5U9Mm78TZ7D7Pp zghRe$EwD%sA*c8+pOV-PuQ&NeumS8bHRN19nql4MqQg{L=5j@v6WhUzRWD2;wsnoD zvn3LjmX|vJtHfCBwD#3z`t?6bjNf>?R+FNeVxy`R~6m# zUd)QNy`v65Gvy;rNC4`9+C;{JhB|;cfYQ7oW?{`oZMWl(^Y&3XmfXGk{eIBK9 zQAmq2N(xpxAK`Yd5g0qKUy%P%W6)ACh?gq_bxFFDD#_bo z7fgM$y1-5#LoZu6se3`hNM;N7@r-uW|R$|{Tx8uvpXyCn^!Z_kpY z4j}H1rcB|?4q80VwnDxGj$1$#%AHCGWu?|-g>TV3*XnT`mY3_08e1-;E>py)w|{qC z0#~qjylON}T}^mPazKRJOS!{QXCT;xN3azz_~ICkPP)IyqTOC1|C!(F6D;Phlkzo4 zcovXY7)vl+2Av8exiY9+1UK4#DRpS1SHdg?sfs;Xsv$PELF2u&DDf5(<4Nu2;n{VJ}YJo2;PhHKUMpcctt(c2RyUPiHP#WL`%-E5F1=!$oEDheUfr(gj{fY5c5?gT^5y`0dFb$ zRC;S&#d##-YK z#H)V}9>ZA)K@*la+i>ZKl*~Epzo!lEH9ih;i>j{1AzStiOzq$N&>+B6iFFtdl~^Vy z?TJvLizF}~)9>t&fG<4TzoCSixi%z(N*N8i)lgq-%tgG_#J)Z}SQMs!HA&UhRA0-o&3}0!_LlOI|jMv&u?@o&7M5E1sa zX<30(S6iuDW2+E|#Sz{TQye{*P#>Y@b=!NfXr$K7QuD`B@e@s2U?ie-H#zkHr|Cl& z*)Zw1c24)qnsgwkj&x?VkbzwhU^hg|2@xtT+K}Snu1$b7 zr7_f3zc{yeacc4!5I*Eg-k8A!xZvY?=@<`FBOX z1xCi{%$~DrtHQi}PAB+GxVC%r(G0ofLq?l6n6~{E9W|p}N#WHxH7GdM)tr+boRZxZ zUB^!Ab?VIWR#5utQ^q>E*j&4I$dEr4`i{8ebWK;y%vlgoVb^NQx{n9+<3PEA1Sq=ep_Jj(S9OTh`7BC1>F@y7b9YD z8SY;U^AkonH4R*T^W!jFS=j8}xC-~B5QS7G1-#)ii-S&HEso!4zaj0qX;J|%#^lMK zE|sR&g|=d#At;`0u9^lB2Uc9_wQ;=Th5FoA&r_vOjUU>OmVOqUtr6-U_2T45m4r}V zYv1o*U~iiuM-Wl}Qf7LK8OW^6M=b}gJe9b_+AOIR7uuc*Dfw}}C`%w`7Gr;DNgqiD z&SdRMX`0nL`VwiTq5*P7kZ&yNAzHSRE2`GBj0}X!`TW)aD@MiU^v6|jDuXC|GcMo* ztT?_2Hs{sB4^)VdQfCik#C>{l*1;6vTu;z7E)=Dzr_#I2QDA!e@z`t@SJ zMLj;_YloH&E$gAi(6O3fx0%$KZtxW~;E6lA9Y!=cF9BC-h&6eRk*RPIDb*Pxz-5%@ zk~BkpfHQ2C%6w#=FN4Z}R-HH)N`{A6J6g(E*h*8u+iMC ztL-b=X)W!oyKJgk9&0wDtqN7`(^=IrAr+>rsg{|foF-blI0;!xeTMuxVi`3Ivr!Xu zRdGtQu8YRyA9&R;%XpIxTj)68d;wc1HhFp4SB>xn4sx|x$7AifuMR&M4l1c0c2!!& zE#G|NE0fcK)bl{cQr>^n)_|>%{ARV_OHS#q!J$xX~o}I(l&7|UPIEC z_Nu4YJM`APGh7}T4KRHTLwZo^8Zy14E*ur=f8TH)t>6^hJz4QbFFbL28cD+*P~O*; z&s`;0T6sNy>{}{wY^y6&bkwgec^R&+t|U6$PUaT=^5$biTmfyXg_!5N{|_@;?=I-X z5-84n-tBB(<($n7p|CBi0x~R1w@lO0>W<6No`m4{461r){LI(0+d!xx1El|K7Y!X6 z>ci#_1P9Hs2ajTj)PtzSaH2vD&$Eg*!#Q4d{M7NpF!7WZFVO!>#(sPg;-SXp7brhR z7TJCiRAHOe<9A6wzR$hE@wLVesLthXRa02M8PS^*B2JJ0^&QSgp~Fo`m>rP|7J?;p zNG*LL!XqsH8Rz#4RJ{+jcE4R+EfYJ@Q11{73FW4LfbySeW`fZ%M!^>)m6FzO=CjlW z=P997u`2qvFV>ObjP#XCG;yy&O!-_wXqP1#=lPx}=iUrrIB+{0(Q3tK)_zshx{s7* zlk;rm$qU}(LYIeHxASKByQL7dp;X9PgSh4CD7%5t5UKXOs`x!X>kVwkOjm1n2kAAT zjIEWQlPce6!9~KtPq8l%resl{cfdkSH;tcs`d!2`a4R?Si$HVa;o6)do-I$|{A}y` zBdrdyvG{fJL_V}Z0|P?GV8g31F9v6z->p4?55)KR|H}+UI4~pfj(#)MDtn>zWKh5c zdAd&xy)nI{AaH7qO)cWJ4pHHwxjSrC1Wo-({*E_g+;UzUJm$A{!&59dfxfY#q52+-GKQ-$r%Sq)==j}y@!TPd=N6}{|7geT#?C2T4JDWYOmQFUJA`_qF z=Q(Z4KW36*>|Ac;m3Sq8sHn|~C@DlFxIwJj4BNb%`K5-snui;&yjSKcmvxZo=O z=(`knEot3lHrti+*wHZ+xQD1W6ep8x(NRLxewylZp{?8|EUMY?0w%8gdSJy72ezmC+es+$-SQ}cB@hBZf35bSmgt8~bQ%fOE|kYzhn5q z@)pH_wegF1xUan0G6~kjBt%)9eB7k`5K_LIygut<2NKEzQnU-2#8!@8HM zu>=XOZS_!K%`+LWpA&c=+7v?Lj-Fu6>}M@!BKiVfmECy!1l$ILFF@zR&0jpV{?08I zSsn1yc2mQD)02Z$G^WVyeWm`hd*AG|%6A#62k?%cx42sG$hQ(Cc$@KDuhzTM>r%la zsr?%x5NKf+6t75cp03oeg=S(a%C&FyeRS^C_*U$WddIcf6K^BOPqvKI=W+);PNhH^ zX%N!E*l4LKcZVJQV)HspFOLdVAHX2;=tan6l0}ZV)V;lF*{{FzI7wVVuW;4jfH(O9sYHBG=wot15&m*@0TNNgIj@dK#IK8%WmA5nn^<9&_I7 za{$E<0+t+QJL}!iM^YBzA39hB&lgGT{eID>lx17xAH$XHrmYa`Ve1YRovmN!jXnHR zLUxAFOAQ^Ud1f-kBl%`1X_3~;k_c$qP zFpsod#8K1vCj@2B80jTD&vv|(!J3p+gl6@1K}JDwjhrj+F0J>4KuO<2S?UDN>5iCH{jAn$fX8IC7Gcie4I#c z%8RbTb;hUOV7A}Jhm;h)#=}LN-<`S-L1u5$U^6Nwntj`2y;yrkTAZbRWMx~ph=DQh zIbt0X4BEbqi6;TNoxihqBgF*EQJ4-(>l&S~y5+P(qdHCPIKNR~S@)I1B*NoVo#+>S|ra@lPydz zC}vIlH=$AjdAh0=QFn|NlUPCT_JI_@rUX_spn*Kgs&yDGT07{2g~4g4QvAbDBB0vv z)0;TqbJv^uJ?D8B`#r7({BU#G^+PdGf^4vU3YKS!3%uMC8}PKs0|M6)2lPAR(uN4Q zhAjbTh?0>cUTGsrRll^w7XdO3bvz4}3*1d9y!nr^rilXv|A?$EkW^ZNVCM=<->lZQ zw5}3RXM{j~LkXFzqGL0N4GQo9$GpmrjF@yu&_!LctLaF+F&2#*Qv-~VPut~LRoT)s z{e>|G%WaFCoc>=KJ>9#-Og32U^13JFOj~8}3#4BCbp&{UVqs{-d*V#-;lsBZ#-wGZ zm|$2bp!0BOGXX!MO-kk@`yS+f$FWc#ZN$*C$=v~jrPu~9zL?}>Z`sh41`!CWVAhU+ z>#GjBauGdib{=nnlbA^caWgN~UT*O3nKYO7VItiuV_#e6k^#CJb)6bc)^3#un_)M# zDQZk-HVkg$Rf!LqVHx#0*u|W-S{>Q1_0b}Tm=j6(WnEwmkMhOYTV2*BzL*;+_#K}E zrI|7~*ZxGbst>@gQ+Oi{kA6@mI3~ni)vrrt03$d7@0JaV*5AWxebfz4EBh*s(c6{& ziH+9CW>sT7A~k3qOa{6>#U5V&SS+|cPpE6Do2eu%UvLb+Mget_(V!CdXJ`uRJx#jX z@^Vl*>gV&B`Qy5^$We=x=J;+}oz0I2>$2S{uYfHo)6H8dGc*8wS7d+hd@X%Eb6l+0z~?)=vy8%oZp3Gmd%njo4I!btNkq#kyfB&8L1QtIQzVGuU>l z$KJBzR7~c6pB&-mK8qc8Z~Q0eBYMaGq30ttbYkHLcxs>fUi;oQVXimm#$e*}IsQ8s zAmgAL*opS#kF80faP&}}eRt!wZ#RB$Lxf%R6ZKaxd;H!t!Tt?~@a#$<6%u?SClHK@ zw;{!#7=J=5y~i0g_n~v^_Te20i^5)cn##Jlz)<7eX-T@z~Rj;e#T4!26XeU0coG1 ztlj06A>0#dl^2+#f2O2y@ZSH^Gy#7-Utj8K@IU0yHCfO*;U2}gpQDe|=zO!vsMTMs zls1L?a1Oa0?Q+!}K({r9LW7s8&prV+E;ha8-7|~x^mXa>fLQtT!G8WIKqP}$=m6qT zEXJO2;U`Y${> z#a%IGK{LM}`^`G`4oEvAfOvDIvexC(#nF+?QW$E z6)Baz*`kb&BH3ZT1hS&Vsl6vrvc-SOlzjDy2nIr~ZSJ39sQVKvYndfg&z$}c5BSa{fyo!E12Wem=;){A8tXInXmFTg@thR)iVa4S`FX!iUe59oqlM|p0xMC9=q zNTF;Z9NDlJSvtf^3#uCTcn~%~>Hy<01gf%|Zj|ZG%(^Y`*x-PSo=_L@n_A%quH63= zr|Z|DU7Oqr>LJ3C%H7rFN0iXUg3h)(J3|wmClhiU7|j)uc9cj6tNzBw@`}rxl5D_} z>!zw+e=~w@smfAF%YyzIh{ykQLFNbSKsV{=JFu&{5GV35 zAfBuMG60|5ji4M_HCCle0sdV$*t>SDIzSl7K*_+@@2hUsn?O2upmi~}?gNMh5h#Ga zdP%?qUJqTVf{|7C$F?=>$tp>f(awR|fwU!Sdo3hi%L27Z++MRkRY5JBQnwGk(xtzH z256!%jXuU#9JTK|hde+L@jQr(M&reBio5I}n_eSk5P}T0xemfTC14bs?aKfMZDU(t z%5_ZR?Af;NkiYZnm@&2Ew}d8k5p}h+;y_qSr6{FKvT3&}FTqMdnT)_1Te!FL-cyf9ZW%rI+|@TU;Ytw#b&ZR!bPYADm{ zx%8VF(|rBf%g5V#Pz^jwC}Zv;xVpKt*PNzA62Z0c4v)orIU;}JlyRm53TZ|AOG3Zh3X|XqMz3Dh`J@aaCYzA*S4XmWy zl}9-K;^6wtcnrkAuZ8XSx9q)KcY}DyD7%zX$!fnvblAc|5fOvBb%3vq{#!9vNjn`& z3==*z7v#>WZ<~kP8D(=8dJw0ZM?V2weI5Vh&h3)LnNPog+7`QrPn!C{!$MJnG-v3D z&nxu}w)_lnEZ@fh?q`{X)?{O$GmA?*^Blv)6J{_E;=on!Z2E2c4W@@_xkemeZ8^7o zBCk+owK-(_K%pVRr4fPeo6N5Cm=`*Y3ATMKuaJz-;14ptM_8jzbx%Rr3?dS36r?!; zTJA31KxwetKnVNJ2cGlAe?ki*uwe@lsKpVfY)Ss>yeV83BIT!xmjzA4nXQ33wT!TivsLgUxc_Ow)fnWPxSm(WRh|c$Hkb zuKl;|?>&yZu|qc^uTwIM|G=#}*;Ir2S;vnCxSF6*i)bhT+hbL+)hbM^i0#dyz_Ri| z+6cjBMb1fx1%v3!fNEBOSBu3R`VkBw8dkup&j6Pw02!&kX4T2Y8o*yH;b$3aE~@NG z*s$|9LJK!flWW9nHw4k;SIJ3q1n{z)1-YsNrJhjhVtzo-1$@zI0Tn(kfJ>{@T@Plu zE10wD)?tRjOQDY&z+b}vD??)E)W}NxAtX8O(5Y&AW7D|L*-~-Flvc$qqJ&pUS}rCf zLM3t0FILwC{)K#dHyHZ?vsNd=@o)-P+Hnvo)GQ9a_U zoOG*lc%hhLw&=p$Gmaaa*d`k;;npsRR9Tw&JJbd_l3&GA2wB)Ij2js1p9y237$NeLr{9_IqL;9tgxDcBTcw&aRQI~ z*^`k7EWPMXLK04_*wO=B+c|!3WoM}A0@*kNr}r1w(i}V7Y7pOz6x2_F=Yc~a^6#to zW z*)&-&V0l{s{2?twGFUL$ zUih^B*xZ8>ooWJ7Rohc@-%)8>#zAJ~U&Zm2@Zk5>0selv*rW(k*JF0>)9li{BKZd$ z2l98uW=#}AH+~c*xEWYW;6B?0ZY%r5F0Drlc?8g64t?;P9$23OV9)SxgX$H;;I!=` zp|xr(Ni9`{PiA4!#V%!7IS4}MMJ{XO zGfWpWGz%U)|M$#bfWc-rOvem2_nB!x2a{z`jmBn}!exZo;&`xJr)Sy#J%T3(9y{cw z%$>!k0&N@gbV^6FiZXugQv|z;nnbVR4sPICF&|oQuMM)g(+0+9C8S$t0)D|) zXN-do0qSOxe^fWy%39!Y?fb5%%+Z7XTMm_`#?+?&Qx4vz7UT$9)NtB>a!}{+LI;$C zKHNPApd5Sw<-k+BB3cz`=AR8H2eYf#(b(2!D^(ZDq9}sS&iiI#Rri@y?H6Nr%sMsi zj-t?!Yx|6+Fr_%G>g~CVWaLE>$fIbvC*TWX@iFP{2DcSVik-)aT26(Y%>5_varJ2P z?)>|L4c5`|XuB1BS_ZD36pOcxhfYlTonNgR0dLq49!^_bZT~40(BmnCxfV2Mjy9_V z597I2h)L`IJqu9hMgttC9dKpsOdO_>vCYkR&kU;6vEx0e~?djnpe& z3)90CL9>MRYf6Hl+rQ`#HNgi{(yn#`G~HT;@+}`Yu))8a8`;b+A@n3K1d)4u6J>Ag z4qH1u4xD2Dc&wcsjE?VO0`w*{9^}lqYd(AaWS)d3j35QI zrHaM7E_NA79vs`^u*LO)+Y`ArDfURT2d8ov$GhWj)Kcov45n8Vw5|~cY ztryl&Xz7aK{NzrrJIwiAW8zD}Ok3^&)yit-LiK2L+|aY@H4BrvY$=p=e{f1*xNzF6 zVYX3RuZw+NuvOfD`un&+p?Dgri?ZVDn1Zi*HKlILp{4SiO)Z5SG-D!DiF)aPj@sF* z=PGfXz8u@mR5I|xsEU>BOk*e5d0-bYe)GH_XN@etxOQCDNGotv5@Q;@kXk}lOiVw{+O4(H{IU=cuTx@y_c3B+hjOc1FS$cX zo;2Ghe$vwtx6_c1vt^sCzV)KXBH!$zY4o6+sn^O|4AGj2JJZ?lGSSzu9-CVia1Lum zLc)@_)Un+k28+y(h;W2vG~m_VPo1fUvwi+#{e5kUW{o_C&u2i2|yNq!UlyPpraqm?4y{N-Y=rF(B!Y_ib5_SQ%;}gyoG4z;X{b4h>G-PH#n3Mp!>#ha15|~C; z{X>lyFGa;|-c~IYXQPsaSvvvOz-C_7rn3R8%H1S=YbY=!Wtlh%7Mi~_xLFFaRb4|% zrykr&*S*-!QFOAp>AMA14qnwFXG7XXN2chb>a8pTs+NEFqOgpDF#RR58wKwxYJ<~? zO(xG94wlsCHAYo7b)A(L-qp=FyhJ0TRBgDwcKr zAn}(2_j9ExY1IFw4n=&-sLgF{$$wrla_Wk_?>ijo;{n)0&ZLe12hGf4`oGZ3zRdd_ zTb_P69a|f@9hbEU^Z>q4>9|?FpHq4Xp=Wwoi3r;z!@{MxC)A@CdTFksC_d96KKlw| zaD&}Xhna2n{{?2=g9%gTEge_!#4hc<6~>$A_ZzV2^u zV8X}W8eRHSiBcUyM<>%&Yk)BSn>HrFn4iID*fV4I@GFb()WbQO(p5=x@cUQ7$lKoc zeD2Hb;!g}3DrykYUM7Ij?6q?tVh*4*L#+H4rPkHzK4soIU#nT^>+`p5E_zicn0H z4F?$7xJcKg5G&s&iusaI`a<1l!2ojAZw>hW*U#4B=$A_7z09}m=2q1GuWKqyb-%rl zq6xH~>T2;>^18w>_2IYjmDG_=5}90J;b@gk2WK))O!^>YO_Glk^!jFSMsf)+v25#u z$Pzy?*#|B%tjPa%v%wDPB4BW4mEJe}z?iVj8oFIlk(1hmQhTg-dDfmQZ2DjTZA5xP zQW!VBI|7q)_UJsTQ<<4qzkF6ne8@@g{g;NNp+NgU5gKZ83aPOE*3X(v*f9q6KKmNo z(`^~RpWEnG+@q3y-QW5M8#|QT}YSQVH{s28W?(uLi7ayu>7v{AHec3?F5aY3(~K=jd(&OO37wzN15X{ z_+}hO#d61^|Bl*mI0wf|HTaJ56EupOK}+Cm;QpXd(%X34yenL90BWit?0dtf!}9hMD>IHf(^=qE4Amjc?#Xsf39BG_}a1jyG>#?odNOz`3W{G`d9Ge&=tx8aeI zfDhI{G6;E3J_ZKq#D|@{h|;qly`tZ<#e}0AO`Smx`Avof!^jid&O-=Zp>)V<15f%;nDsDHlC7-_#$`SkM4V-h~Ioc!g``VgkhV4+O&MCTMp_X*M? z#`#XTp9zc-DrvJD3xJoQ1D=$A0YKr`T_wuMT6YMN>DEfmSQ1^J==lUDcLCoX*e66j znpR!w1OHSbKWhx+r{aqB|Y*70#V^WVT#i?uY3G%AAiTu@H@@dyb1Ew z&wYt*n8LXS(7%}qzBVBl%1K>6A!CLA|Cs$qeZRi1z@;s8R=rB9=C%LJ z?T5=Rxt=<~PuJZi^0Yy}z)o}gA5ze82zA3EqOv}KqI@ip-fC&nurNEZt96LdOk)Ia z`x$tIdx{1BsZpv}Ii)2o47wc*{5O4$T@(}vPzIgvTHr78Si)`pTNx|^D1%Hf0A-Mg z1fUG=g4L=>n}xk=7*cC%Env+3FYfaHxc#Q^eYW#N7rXPD)M#GC8VzGF$Gt`omVjngQZU$4UcmD*qRb;KW_tJ42j zm!~j0_AGN%e1KktyqER3MZJ{op}t$D$Ci$vK)|S?NSaErBl8cE?)zk$ zJIzcna+0bw?|+m-Lql^^@rdXtdx;t*y!BZ+TTUZf8fZl!4&MKG|B4*AxYcdsVHp z*1@xWxMS@FDxXQ#L0tuDw}2nDr18&MP&hmkR~~x0-763d(FK4Rso0K$wvvo1;->m! zl1_z{3IL=tm;XDR`S*p=8j#LR7#k(Cig2nfQJ0MCioFZ3<*c@rga+u5Le~@GkHj#H z&}Smb-asMDGUP7M;q4euYCa~A5by#0^x89|lES1tI7t3%9tJGDG_jrk0P2oZYHrJH! zYMjnRGN{rtv>pvdM%LGrbR|k*=aY*A2S(2IyzBLhcD?`!7f){h8-0`gTO`1rReOa z=#ujS`eLK^x;T?+&G9>q2s!~s!lFn-r=0X4?l(urJco9N2SnYgiz%=dlWx$}mBVXg zk+T1%kqD4im^DV5bu#Jv*l1>;drp!1xw&0~tSu4}k1hyM=T(9x4}?f*fEAsFkP8aDOf_HtgL~G1m`1$A4=faM9#JFZHNO^M}#26hxB>wqfSjX zonr)6=n8{~cyww{YS$TsSS1<^js*8R1eb56EFrHV6 zVZ*Sc+gWTO@fXU$;wYc}*+VOSq_z}hGjmz5IL{ck^$DtiG-^rC+7DfWp!xGK8>(xv}B~}Dy4|hsdbJmHogDzQW3vxSyx!9#6Wj+mz~eiX+v8fJUj81*2}~b9 z&0|>fWVndwaP@42;~t-3Hs^@euai&;QIu<(5zlTi$JXs)^w>4lJnN}gFJT|#X{<1r z>uY>Ww%v*vo)ZCL%Mi8)AxN`m4rk1(JC8_DVRU{FF2sjVv4B;i;lIYW5Tho~7vvIJ z&t8}Z=cpcK)d17Kb~BtfG|pa``Y^qH9b@f?ZRuUO9>rq`N*EDD`7?g{}VIbKQH}ovTBKb9!QenI*YNhAn zR!sOv*1Jn^P!rlF4cb(`SSmwdrCCM*Tg)PHv|J6@>;r*-sGx@6H&-S-Sxwb9lEl%5 zV>7PK@)Hn&(2qrcRXUuSNH zVlp?P_b959MJKwcUDli_#we%jgr)s=T4eQi8Ebplb_shYe6SLze0ELr7ucyga)+PJ z+*`)Au-`33d1R|r8*k~EpZ1zck6 zIc3DCH`^W-&BETk=O;cNBc4G{$-zyk-ptCSn@u3S&?R{<$aWM|W6L-ZaAUK$2|nen zSe!O=ob#YJ5itu=@t)+t{hlZzMcsq!HloM?H}Y?;AC<%SMl~Qm(cQk z>OS>y3!G{YxM?+DoRBIY)R?&b0d=on9_=?v%#IAG&YQ{)-a53k10Zy_j<^)N?M5zB2@~O&VmFbPB|d9Lp>q|XZG&cq=je<Y(DSQ9pf`ZC>I$J;Sm zM4l5ftQh(wlF_tgz^d#`KsHvIf4O=?oE|x!mj4a5d*fZ<2_T#-4qt&P*=mrxgQrn= zf@8S_&pCky!sUWs=%>J7=(FI<3NT#_s{e&k8UcYjoAXs6bhD~&MRpH7L9WXP#a6`g zl#N*!Dx-L{E(v}l*9P;C|3j2EQ8|A30TQ4;20W=!j;kP5axrE;2Opx{spB(~MuWHA zg4>9<5s=sRyJS=fee+?)8$MBefgT%Zo@)iiVK>{?{Whn7Hh^Zb2FrBq+BjUIQOt{L zS^b1D|K^n@0Fo{SIBTMWP!GI@reM4=g`^bVDc5A82 zY@ESWcUm$*7xF2SVJ7K7<$!_XwAb4~x7YA`z|Y>ci(GF&%>vF(cAOF>p&fJJ-{u_- zjdC15;=Y;CSf<{)^92eFyP4eE^NBd%%Y3mU$?gg98?F^KJ6!!VGe^&fy_bx!mhzKa z?dk($X&{^vK&bgX@Hw6$gIDSr`lg@gHSI?C136ICfVbgr2whzx2f3+5UMN-5DL9yr zy3SJs$3A-Uf%mGd6nbCpgRVr|R-9NQu7aWMdVr(5tf{1?=P1KQ>aT0QGo{z48Zw1~T>3rdgiQtTb}6and@+CBYK#{TzRT|SZwO?$<=5lBrQPtabyD%V zLqdA#gmt}Aus(;XX}-G~U%Tz!V`zin%=Rluj4OC6tx0s_4MR|FgYfIDF;X1FspYm) zIoHKjMN)I)ZjJi?IHry|tBeqhF*|T9LpGG^!U5>B78e`g)=F**^bmsfa%Il?(zMc8 z93&pgb9vb`(fZeNBuDfvY`KOpp;y|I>j48Aw_Q_h2oS$Q^q)GyWnN%Wn?YB1#p}#_ z+<^Oih1koZ7QTb|Q-@db5gVY2gE`SaQtbB~fjUGnl3S}Ta;-K|vF+VJg&150^H1p^ zgElwM|Jpxx%D^&aS}{Luo&05-Q-usNv32{+$PCW>qz`BeAVdn;{{E}ahT}>y?;9+V zzjg&)6-q_lCk2YTc?wcR=K?Io-U-CRp5X5$K?G;O6S70)KWEkoHefSDANEM}*~YUN zc321%`km%ftVTI%Fs5PHtEl)FZRIOs^4Mk>W^?bwY#d3DJJjGLqQ}HLjkm=Hp3@^_ zEZkoG295b=EF>|-Kp?c|o|UOrt6W@9crP-~$4jEucC3#I2my486#=velyl2g@$X;) zf)JWMi;4*rkyW2T-xhGFi5U{7y16{IXQNqJ7D(tm3oM>zlwvNjC7b$AJd}i(ih&=ohx1N%;{T|vw1$D zTG<og;O}+{7lmr8ax|mViF!TJ042a^~8xLHHq2Ati>#c z`M>QW952{&jlejizNGb9!({OtLrAaAqW$rp8RIE{<<5)xx`+4#^z9kyf5rx<{spTPiP=uy2n+d=AWi1__baW>2l(Wi&F@ufiA0A0MQejvuko$Q?TTzp-%E%}Um zFMcg&9oVk`Ud(#$oIPt?OnglO@EJ zCk_|SDm1rea;^3ZJp=8Nxs6iznvX$_!*EVy8Slv^-Db%auHQU&+Lf=~_AsBPc8gU! zV6V0mVCksJ!%)$$Q{B=e(nplLv8_8Rg^zP!*!wlZ7;V{>JoAoS4&Yd4G%TLooMyk~ zzKnAiga2s0Kc*u2ad8e%6eo--Ydl~H^x4oWxC@C#uF2Q#il6EY^d?qPMN{olRewq2 zlyv&1l0tfcHFoC^k}KZo2@S!Q&?1+_dq2YO{k@)I!tHi-2*)g}o6ga#`;nFsUV?zW zM|qGy02-GbsGhh;t;55r@EtFpUzXpZQT$Tm^p5Tg;HdndgH2Qx2%k#7;E=hX%$)rE z9;xAH^H!HqcJ9g(DH}^X7Vs0T`E>p`J6OP1YC%sJ+4XkV%T?LSBTUWtevf=aH?qOY zw;|IL>IYaX^;$JuxKzU>DryscX?18yY1FDF^r1_ZL5t}SSQ_RX^#q)|=+dZb?^gxn zQ}eUe%YSK4S21Y9K=li<8v3}50$(+8NGYf^0QVc7m027GyO!g1(9<`&$`@Kzdf-3H zZT97F3fWVJ2$nti42e`?cJsr%9%$aQv8}1WMr_F!a)!;IURF12#`vGStyzcAwRACC zg|2))ww#o{1;|pn~*?YSer5ZN3=I3;n(K#?V z8ZT$T`zXvPb@R=zht)U=iTY{;M%(uQ6lps?x3RpHjT<^ABk)Y`;`)Ixa zi{_p`c9U-s-ab{Z56Pt{OfRlMnMWt8fzWaJe85_J6>&a{-%1za0Jrij>?`3Qp`lFB z?inY^cEl`+Ek0B~Pp`nDj^A!FzR(#kBve)L>mQMVWnJ6RAwp#0xDGyskjnEdL68*u zN~+$L!F(J9|p5{_d!jH4LV`-^Ydg43Sl>c0UxD?V+<$p$l5+An^l#m~J) zHsQxW35!P;f?;6zmr^Vn8Ov>A2g+bO;R@of%|Ze+WH^6y_Y1Us!C%52*_SOr3eW2I ze}?5t`?|xKV!E`Krn}t7 z7GU<}if0YwA@oEn^hD$B-_mNwv6^;v+H&KA)0G%}ni>=|)z*Q8G}Tm8$0tUzZk56l zqaWPC=Eo+r;*ok#toW=BqS*xCK9TH)PfT^8{MX#gZYXe7HsWw#RTMg!PT4tgdR-G- zxM?SOGJ9WnXYJG%2+ByVQ4?cYB}&)6C5$BfeTbSKAY)FTqa6}Qfk$ZEhZYn^*}s?6 zMpX%y&BSceCn`I|{oQ;pL@}ds9I`RlBEy*M>Lzx$ zmV9HS)svSDQe{tr*7+Gegk4iwy|c&IbqB?)+Ivml?7EgFG?bVM4C-yMxvcxwo+}~2U z*ySP{FI*A$pY+kEg;F&e#nktd2Df-OME>1~BaVpfO|Bf8$^jO1gmIj+t3K%kaUxJ( zYCR;D*&R+SJ3gc9fC1HwP+MqFZHHJ|GXo<`O9h;JEs+bt&Vx&xdod>x!vLs?WCk4! zJO$!(rmA*STOwRC^*wtOaO>T;jej%mw7iuet3hlv(NYO)wJ$C>4`64l;?a^7+;SPy z%%w77`C8 zM=#a2T$~l);tz@`E|0(tsPq#6%@zg0sPe}moU<$AOhdA|Qbf#|6f$)rNWa^F0Hp{Hc;{M;moqG{tGto=t2n_A_w zcrj6aEkInF`w>8+f2KDP(bO^%Qu8v?kW8Vee+k*vL^i}_xMyj){(Pi46#d$p+l*>n zBd3+gnXmmo+^JIp61$WTuP0_#sDvi_=bsJvF!^gdWFzqrqeQZ+&%jzyV?9FsJmztZYdtwYch7y%6p?0aGQQ8{#f zkOL<0plxsO!e^o}St8#qus)X@oY7(C2hH5=Q=wYzgGC<6;dxSmpaq6*e;+8lJw}oL zHFsHXQ%5yuPIf)oE4zH8H7R{-noo6{!=ol3EF)k)zQKDkOaomECKf}_J<+#2r|KOB zJIta;yV>w`=y<+5URg|)|8DwzJ74?(SXT6_=FR=06kQ~UJ1-`94fcJ;d+s&%f-%Fn zgAfWK#Dk75^F*FBeTp-h68;mE(lLe#7sJeZ{a!#p3v=VIJWSYHob|1pBkP$N^jt2D zz|!?z#nv3#H5S}}?o3e_c)kBHP3P+#;JUxp(=2GWWFMUShoOTvJnznADctyBh_BT< zJ4)VP_C}k?Mr`)pbe;&Hv!FwJN?NQYV#Thq=TatOi9QGkMwowq6(AmMtUNBLCnXwB zREg)1()g{#{dV&$I>_^=r@xcP-nAtxLFWalo*LL&(2~XxtIM5jlG^BEohH4(fN5dc zSB%DW+W(0uv2v&NgoothaJ#bRkZioiyolZ_q9a4W=e46-Q(hjO={-%Y$H?dKYM9aC zd7@s`DC_@a|E<+f-`)NkFgYoP3>+@E@m|(C_E_V)NjJg<^f(~|G#YD=Impo>h0tCnV~BC$SfvFQ_|2C{%06t%nRv=Ig9(D zk{7`w9dZQo&yOw(L6Sa!N?N*Aytc(Yy364sE9pdkQR5W?hN6iM^r^BRK0q>$-fbgZ z7*?q-)N|%4f@Lj22RB^X3whdX3gfMVc`n;r7K&<)303qs3Pv$@=TSNSIgHgOH!Vi*s>rwA9aXjdZNXD8AI72? z3L%}+YZTB}#~w&j?O9baG_GiBqi8SFsB{^9>3G$we#z$U5KxJ+PV8hmzhTcqzyGFAeHqDR@ zPM^@3D<*k$xpSfM-5b?wq4T|#lT^Pf#yDkUsk86$Lz5v}7e$HesN;{Eug5A-0{k>TkgD`FS_~bNp5m|-#B4zH$Cr| zb(>8xlG9M9z=+0jF!u;gae-9+z>U;ulr_3`d)s{80m6?9WVDV1ualmtA-QAJP4i-n zSe`@L=_}@_Mr2h7l_vyG!R&%2ckSb(4Wn<&jY+5nP?R~o-*e0SMkVw07y0mDI?T?3 zI|JlYdnE45o;UWl{~fG|@7-d#*HQMNjxU`C^NO|EpNXA~l-}$woYB7 zHpuYF5C+Mu!L=`}W@_V=EPysJU0_6-F`tnf8Kmnr#7;czs}Z^3)7UC+P8}Zag~RZ> z>TFDl^z5eXU)xZULD70qiDO*0{IMI>F5`1Pl;Yh_X-LtFhessR> zd6q+0l{vRkXXpM>v>dSgZ1T&@yd{<(LmZvuqYy z2xLJu*u-L$0ofKD7>z}L2_B1qGSiiQx1y!?JF=tCan-^w_D`Q(>@lC|l4?T~(j#T{ zb+|hF8o<^%DpJW!MZrg~boy|faO?hi*=J6&^)>TAy!P6KHGdLV(kDU|v%w9I%~@21 zv`-Ub(khv3fVpX1^=xnFHs^A4X)7ll*BQ8}U<7&Ew8Q5BMNqfY8;p|1CXL>-YB`Hl zB?K1bQI`|?lp9inimS(7xRqmahX~wNV~0;*F`1L@P7?I{~<0 zZjV-obAcj^#H5)#JVvse9$Pc@aY?@hXNsTEa`%tORdZvbc<}U9d1m$VgDgUnXrAec z_~9G&eZS^0LcXn&%BCVzDFS&QDbp`PdRWm)zI|4`C9-}+(9BES>k?!*8YlFl~92+_@jAz|BGMoqKUM7jT^B%Ygn4l*NZ#a2n{ zmo-{VAqT(>V6z*w3pS%QiwKAIJU3`omh!x@OsFTDqG4{LfU)lJSScy=!QpelrF0Rk z^_o-(WJO<-ZCXhGPjlE6G>}s#A1s_1*GwpP1!m8wRp0wE8*R6qfQ1uf`-Aq*JDs85ul zo0pSPsflo+)D=f>x}E!_DNVf=;W<*7ZWo9Bg$uqXd=D1)gJMSYAW6e`jm7a2_o)wL zB4A-aKcT1grU@Z-#@>qO!Ut->ab|PltfZzu#Xw2BV)o+9B3;|BLN?{2A1B6(I;5wbIea1(@d1o7q9-1F@ME$%68e%Z) zU1{SCMVxLVjV6>cv^#XP0?i(MagHu&>ycjc$n0bPTH5l~_~Eu|(@e5EVVJ_u#Ry6% zBfD@4xT%gt3cgoqHp{d@h0A9A(=i3fwe7ho;RW>i_Tu%HypT>);@Z|&Mw z23Qa(MMqTGHs3NY^vI32&F)G0v@R_}E7!t9tz7s`?)LYY?%Z@m%}ebyuSe@r)F8TH zSE-~j_Cn}eygG8lfy>xQ8nJjTLd~uQEu%&E51i_7g0f^)bc#@tT@QUSc5;Oz9HDMaO(GH-W1h^+Wlh(vK1!bnu_FesKYiY$&a zrjD$Cd(f@7;X+`u?VDkK!6Zd-gdBcXk&UR*AA(MtI;zZo>jzvTZXCM`_lMHvY0OeB zc|BVJkM?)NulL7MM0EM3k~2iT`y$I-FBM*krFXuFtR*B?Do4eCYeSdFxh4l>A~d;F zK3yjM7OJs@ee*>l;V#(;BbEfICiT>-N9IoFa7B%R?h}tj4j6CH=Ffc5sbqQwI^2Vs z!P#n$tF;NNF$0gQWqZ0k8)M(U#0xkN!DRRRg6hO;*}GQBisaJCvOHGJK`z(aF?T*_*O7(~z;?z(u>gzJ z3AE-QI(5BJKd4?rl(ad74fkVG@G#nH{dSenXI1=hms}ZVm&XLj<{^M$4rS-SoWI>& z%!Ey{gH$(U27&w!Cp+ncjDWzn5HFxE;wvIc2h}x~@H+zhI!%5c z3&I=DJm;`@Vd`1`;8VH-C=zV}?G*J@*x=zKm9_G&<@H`f`BizPPz%!aO>&+hF5LnM zt9MXGw;Yjoql$V44VFtxFyO}xe%mpj-wa;|Y*nLqV4O`DQM=v)tzq{Rd4`8I`y5Rt zCx{gGE~{QDA5&Y9a)Mvqd_j-gH_lN;HC(`Gtnar->RBT=DKZHlq^~T(4th7(6>5OHsf*w_ z=i%=xl|MS*Hv!hm>LbrIc334GhR}sM@Syh8)1NDbeJCB@WK~hTj~K$-z-DX=n~=Kq z0zdb?f6)_bt=Om16E}#kD%E)y)uWKdMF%3N2lAA*LdCn1QY(xL5!OT_AE~5a#Ue>* z%rom=8NQ7DrT=KVua38_lID$NI;~ir{dDC~I$L##*oc+Uc4EQhZBAQO8YXt3P#yZJ ziW)W(`5pyJAZ|!88&HS&uneY48;prZHTt?kE2Q|**KsGeO^Qh>Uq8KRYfpnCiEE|_ zI=Y8%q6iuoVsbjYV4teh|N7%R+%Yp3Fb_ejzBdM*=MKbnhEFLlD3y(L#1s!t20R{Q zo=h9Cl-mz*AKeMG==_pqnGkr3Kdno0C6YKzS9DXaX2jh=1aFmo!O(;Ue1o-`pF zr;~aSL)+^G74W-P7X`^Yvm`z-Bu3QO8J2#)ILB}yGQ+|@VhMMNGj3F9!Z?=?Q^Wo1 zjQ!lIjWH2*+Qt#q8+4(^;*;D+;fH+Qb99l>tg@<|)%ur`XKIO^15MqpVkUNLEb9T7 zvoHLYLB?{kPS6=QIPfsNmRYK`zauz%35lw_iOq=)BRcxY?u<8+Csz-ywj7Md0N<9V z$GOOZa!w7(J<6t^+Q+@dJxNIaS?7d+9i~8}dpe#Glln8yz<8?Pj;HRJZz5qohHEej zaLl0B#W3+I;f_X=1Uh^CJF1_ZtE`ml$@e%XPI<;Ge#ro$Wu(al-s;Ji2$6!10tx;6 zxARc;vD)`l7U{hNPRd%R<|#jEMsiiYsT=bnDL{u%Xdrg`Q?rba`O|0|easNa z8qA%)gfyMHfkf=%^Nz49N@kjz_l~VZ>oOnecSi78|M5 zR?U}s&6Of-$ClKy6LWskvY_=k{6rxDy4mSPv>)vIwFX{oS@!wVSfHTgQY778c6+IT z>$y#C$w<0@KrP&}i?$$VDcsXgaw(BoK|V!vX^~q&o-W)|lkDQWAi;v$_)VYWhq z?^00t(6khTM+XfJzF;1Fz2Ak%(O%@`7jL_zabu-)n2+@f{G1R1(F^WiYL%-c8^kQm zDoJ%JkD=^FtHcJqmOm17G2{FuA6cha>vKkRlFDFU^#XBX@6WL!X;9$ORvXK9OA*s0&6nf7EC)h+PuspH(j~U~MZT z_iw%tk7rix3gP7iGL1<~y6FZ58uUXKaPcG+;aa$EjWv;Ce(&&jRgamYBsTm9p>HLD z@2@we1H&)n6TNSxjWjJyhm1Fe1cG}X@4Wzt%*5PU8@}XwgU+<)ohgn#+{wd~%L!ZZ z52<-5=N?5JK7H7YK$7)L>+fT3^prQ>4iDR=R>jxg>vF)+tFaH;6gCWISV>q!v2Aa= zhG(JN++>8>v~(FK2YuY9fmg;Hg?noQhr8d;008qJXuSh86K8wSf&e+a wVgMok&j`RkM1ZRuz|b}Z7PiVJHulzlq5kJ}aESjr1p?TE0Ot^H5Ww;O0klDa%K!iX literal 0 HcmV?d00001 diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json index 8e30123920f..efdba304cc8 100644 --- a/Solutions/Infoblox/Package/mainTemplate.json +++ b/Solutions/Infoblox/Package/mainTemplate.json @@ -47,7 +47,7 @@ }, "variables": { "_solutionName": "Infoblox", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "infoblox.infoblox-app-for-microsoft-sentinel", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "InfobloxDataConnector", @@ -316,7 +316,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1307,7 +1307,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1734,7 +1734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -2099,7 +2099,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -2542,7 +2542,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -2949,7 +2949,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.0", + "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3107,7 +3107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_Workbook Workbook with template version 3.0.0", + "description": "Infoblox_Workbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -3125,7 +3125,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"N/A\\\"},\\r\\n { \\\"value\\\":\\\"INFO\\\"},\\r\\n { \\\"value\\\":\\\"LOW\\\"},\\r\\n { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n { \\\"value\\\":\\\"HIGH\\\"},\\r\\n { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n (InfobloxInsight\\r\\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' == \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"66b112e0-3187-4faa-9357-d229e98002ca\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \\\"All\\\"\\r\\n| join\\r\\n (\\r\\n AssetCount\\r\\n ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n ThreatLevel == \\\"High\\\", 5,\\r\\n ThreatLevel == \\\"Medium\\\", 4,\\r\\n ThreatLevel == \\\"Low\\\", 3,\\r\\n ThreatLevel == \\\"N/A\\\", 2,\\r\\n 1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"N/A\\\"},\\r\\n { \\\"value\\\":\\\"INFO\\\"},\\r\\n { \\\"value\\\":\\\"LOW\\\"},\\r\\n { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n { \\\"value\\\":\\\"HIGH\\\"},\\r\\n { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n (InfobloxInsight\\r\\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' == \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \\\"All\\\"\\r\\n| join\\r\\n (\\r\\n AssetCount\\r\\n ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n ThreatLevel == \\\"High\\\", 5,\\r\\n ThreatLevel == \\\"Medium\\\", 4,\\r\\n ThreatLevel == \\\"Low\\\", 3,\\r\\n ThreatLevel == \\\"N/A\\\", 2,\\r\\n 1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -3257,7 +3257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3285,10 +3285,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "InfobloxSOCInsightsDataConnector_API", "dataTypes": [ "InfobloxInsight" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_API" + ] } ], "tactics": [ @@ -3300,15 +3300,16 @@ ], "entityMappings": [ { + "entityType": "SecurityGroup", "fieldMappings": [ { "columnName": "InfobloxInsightID", "identifier": "ObjectGuid" } - ], - "entityType": "SecurityGroup" + ] }, { + "entityType": "Malware", "fieldMappings": [ { "columnName": "ThreatClass", @@ -3318,30 +3319,29 @@ "columnName": "ThreatProperty", "identifier": "Category" } - ], - "entityType": "Malware" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Status": "Status", - "Severity": "Priority", - "PersistentDate": "PersistentDate", + "UnblockedHits": "NotBlockedCount", "BlockedHits": "BlockedCount", + "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", + "Severity": "Priority", "FirstSeen": "FirstSeen", + "TotalHits": "EventsCount", "SpreadingDate": "SpreadingDate", "LastSeen": "LastSeen", "FeedSource": "FeedSource", - "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", - "TotalHits": "EventsCount", - "UnblockedHits": "NotBlockedCount" + "PersistentDate": "PersistentDate", + "Status": "Status" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}", "alertSeverityColumnName": "IncidentSeverity", - "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}" + "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" }, "incidentConfiguration": { "createIncident": true @@ -3397,7 +3397,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3425,16 +3425,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "InfobloxSOCInsightsDataConnector_Legacy", "dataTypes": [ "CommonSecurityLog (InfobloxCDC_SOCInsights)" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_Legacy" + ] }, { + "connectorId": "InfobloxSOCInsightsDataConnector_AMA", "dataTypes": [ "CommonSecurityLog (InfobloxCDC_SOCInsights)" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_AMA" + ] } ], "tactics": [ @@ -3446,15 +3446,16 @@ ], "entityMappings": [ { + "entityType": "SecurityGroup", "fieldMappings": [ { "columnName": "InfobloxInsightID", "identifier": "ObjectGuid" } - ], - "entityType": "SecurityGroup" + ] }, { + "entityType": "Malware", "fieldMappings": [ { "columnName": "ThreatClass", @@ -3464,25 +3465,24 @@ "columnName": "ThreatProperty", "identifier": "Category" } - ], - "entityType": "Malware" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Status": "Status", - "UnblockedHits": "NotBlockedCount", "BlockedHits": "BlockedCount", + "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", + "Status": "Status", "TotalHits": "EventsCount", "FeedSource": "FeedSource", - "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]" + "UnblockedHits": "NotBlockedCount" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}", "alertSeverityColumnName": "IncidentSeverity", - "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}" + "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" }, "incidentConfiguration": { "createIncident": true @@ -3538,7 +3538,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.0", + "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3666,7 +3666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsight Data Parser with template version 3.0.0", + "description": "InfobloxInsight Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -3794,7 +3794,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightAssets Data Parser with template version 3.0.0", + "description": "InfobloxInsightAssets Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -3922,7 +3922,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightComments Data Parser with template version 3.0.0", + "description": "InfobloxInsightComments Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -4050,7 +4050,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightEvents Data Parser with template version 3.0.0", + "description": "InfobloxInsightEvents Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -4178,7 +4178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightIndicators Data Parser with template version 3.0.0", + "description": "InfobloxInsightIndicators Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject6').parserVersion6]", @@ -4306,7 +4306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.0", + "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -5010,7 +5010,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.0", + "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6055,7 +6055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.0", + "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -6413,7 +6413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Config-Insights Playbook with template version 3.0.0", + "description": "Infoblox-Config-Insights Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6873,7 +6873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.0", + "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7584,7 +7584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -8417,7 +8417,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.0", + "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -9313,7 +9313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.0", + "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -9852,7 +9852,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -11888,7 +11888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -12832,7 +12832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -13130,7 +13130,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -13755,7 +13755,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -14524,7 +14524,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -15264,7 +15264,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion15')]", @@ -16837,7 +16837,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion16')]", @@ -17891,7 +17891,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.0", + "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion17')]", @@ -18431,7 +18431,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Infoblox", diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json index 477109ffdd8..0bb70edba80 100644 --- a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json +++ b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json @@ -5540,7 +5540,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \"All\"\r\n| join\r\n (\r\n AssetCount\r\n ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n ThreatLevel == \"High\", 5,\r\n ThreatLevel == \"Medium\", 4,\r\n ThreatLevel == \"Low\", 3,\r\n ThreatLevel == \"N/A\", 2,\r\n 1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n", + "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \"All\"\r\n| join\r\n (\r\n AssetCount\r\n ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n ThreatLevel == \"High\", 5,\r\n ThreatLevel == \"Medium\", 4,\r\n ThreatLevel == \"Low\", 3,\r\n ThreatLevel == \"N/A\", 2,\r\n 1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n", "size": 0, "showAnalytics": true, "timeContextFromParameter": "TimeRange", From 6fa0ff4eff25238b7b2977d49c1166704a576eef Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 6 Nov 2024 13:45:10 +0530 Subject: [PATCH 2/2] Update ReleaseNotes.md --- Solutions/Infoblox/ReleaseNotes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Solutions/Infoblox/ReleaseNotes.md b/Solutions/Infoblox/ReleaseNotes.md index 603961b9640..2ef63330b52 100644 --- a/Solutions/Infoblox/ReleaseNotes.md +++ b/Solutions/Infoblox/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.1 | 07-11-2024 | Byug fix in Infoblox_Workbook **Workbook** | | 3.0.0 | 15-07-2024 | Initial Solution Release | \ No newline at end of file