diff --git a/Solutions/Web Session Essentials/Package/3.0.0.zip b/Solutions/Web Session Essentials/Package/3.0.0.zip
index a8d71c1bd1b..2aaa27683fc 100644
Binary files a/Solutions/Web Session Essentials/Package/3.0.0.zip and b/Solutions/Web Session Essentials/Package/3.0.0.zip differ
diff --git a/Solutions/Web Session Essentials/Package/mainTemplate.json b/Solutions/Web Session Essentials/Package/mainTemplate.json
index 0d44d401348..946250ccf3a 100644
--- a/Solutions/Web Session Essentials/Package/mainTemplate.json	
+++ b/Solutions/Web Session Essentials/Package/mainTemplate.json	
@@ -988,7 +988,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is <b>optional</b>, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_DstIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_ThreatInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | distinct SrcUsername=SrcUsername_s\\r\\n        )\\r\\n    | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | distinct SiteName\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | distinct SiteName = DestDomain_s\\r\\n        )\\r\\n    | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'WebServerSession'\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'WebServerSession'\\r\\n    | project\\r\\n        EventResultDetails= EventResultDetails_s,\\r\\n        EventTime = EventTime_t,\\r\\n        EventCount = EventCount_d,\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n      and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n      and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n      and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n    ) on DstHostname\\r\\n    | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n    | order by DataReceived desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n    Url,\\r\\n    SrcIpAddr,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname,\\r\\n    TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n    EventCount=count(),\\r\\n    EventStartTime=min(TimeGenerated),\\r\\n    EventEndTime=max(TimeGenerated)\\r\\n    by\\r\\n    SrcIpAddr,\\r\\n    Url,\\r\\n    FileWithdualextension,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventResult = EventResult_s\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n    | extend\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s,\\r\\n        SrcBytes = SrcBytes_d,\\r\\n        DstBytes = DstBytes_d\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventType)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n        | where isnotempty(EventType)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent),  DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n    | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            TimeGenerated=EventTime_t,\\r\\n            DestDomain=DestDomain_s,\\r\\n            EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n    | summarize RequestCount=sum(RequestCount) by User\\r\\n    | join kind=inner (WebData\\r\\n        | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n        on User\\r\\n    | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n         WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataSent = sum(DataSent) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n    | order by DataSentinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n    | order by DataReceivedinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            SrcBytes= SrcBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            DstBytes= DstBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n     | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Success'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Failure'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n        | extend ThreatName = ThreatName_s\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatName))\\r\\n    | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatCategory = ThreatCategory_s\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatCategory))\\r\\n    | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatRiskLevel_d > 60\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n        )\\r\\n    | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n    | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n    | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(ThreatOriginalConfidence_d) > 0\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        )\\r\\n    | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n    | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n    | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventSeverity_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity=EventSeverity_s\\r\\n        )\\r\\n    | distinct EventSeverity\\r\\n    | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n    | extend Result=case(\\r\\n                               EventSeverity has 'High',\\r\\n                               'High',\\r\\n                               EventSeverity has 'Medium',\\r\\n                               'Medium',\\r\\n                               EventSeverity has 'Low',\\r\\n                               'Low',\\r\\n                               EventSeverity has 'Informational',\\r\\n                               'Informational',\\r\\n                               EventSeverity\\r\\n                           )\\r\\n    | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t  | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n      | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true  \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatOriginalConfidence_d > 0\\r\\n        | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n      | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where not(ipv4_is_private(DstIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = DstIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    )\\r\\n    | distinct PublicIPAddress;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(DestHostname)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n    )\\r\\n    | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where isnotempty(DstIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DstIpAddr_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    )\\r\\n    | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n    SecurityAlert\\r\\n    | where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'ip'\\r\\n    | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n    | project-away Parsed_Entities\\r\\n    | where IPEntity in~ (AllIPs)\\r\\n    | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DestHostname = DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'url'\\r\\n    | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n    | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'host'\\r\\n    | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n    | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is <b>optional</b>, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_DstIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_ThreatInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | distinct SrcUsername=SrcUsername_s\\r\\n        )\\r\\n    | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | distinct SiteName\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | distinct SiteName = DestDomain_s\\r\\n        )\\r\\n    | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'WebServerSession'\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'WebServerSession'\\r\\n    | project\\r\\n        EventResultDetails= EventResultDetails_s,\\r\\n        EventTime = EventTime_t,\\r\\n        EventCount = EventCount_d,\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n      and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n      and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n      and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n    ) on DstHostname\\r\\n    | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n    | order by DataReceived desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n    Url,\\r\\n    SrcIpAddr,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname,\\r\\n    TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n    EventCount=count(),\\r\\n    EventStartTime=min(TimeGenerated),\\r\\n    EventEndTime=max(TimeGenerated)\\r\\n    by\\r\\n    SrcIpAddr,\\r\\n    Url,\\r\\n    FileWithdualextension,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventResult = EventResult_s\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n    | extend\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s,\\r\\n        SrcBytes = SrcBytes_d,\\r\\n        DstBytes = DstBytes_d\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventType)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n        | where isnotempty(EventType)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent),  DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n    | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            TimeGenerated=EventTime_t,\\r\\n            DestDomain=DestDomain_s,\\r\\n            EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n    | summarize RequestCount=sum(RequestCount) by User\\r\\n    | join kind=inner (WebData\\r\\n        | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n        on User\\r\\n    | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n         WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataSent = sum(DataSent) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n    | order by DataSentinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n    | order by DataReceivedinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            SrcBytes= SrcBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            DstBytes= DstBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n     | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Success'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Failure'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n        | extend ThreatName = ThreatName_s\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatName))\\r\\n    | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatCategory = ThreatCategory_s\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatCategory))\\r\\n    | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatRiskLevel_d > 60\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n        )\\r\\n    | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n    | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n    | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(ThreatOriginalConfidence_d) > 0\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        )\\r\\n    | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n    | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n    | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventSeverity_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity=EventSeverity_s\\r\\n        )\\r\\n    | distinct EventSeverity\\r\\n    | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n    | extend Result=case(\\r\\n                               EventSeverity has 'High',\\r\\n                               'High',\\r\\n                               EventSeverity has 'Medium',\\r\\n                               'Medium',\\r\\n                               EventSeverity has 'Low',\\r\\n                               'Low',\\r\\n                               EventSeverity has 'Informational',\\r\\n                               'Informational',\\r\\n                               EventSeverity\\r\\n                           )\\r\\n    | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t  | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n      | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true  \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatOriginalConfidence_d > 0\\r\\n        | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n      | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where not(ipv4_is_private(DstIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = DstIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    )\\r\\n    | distinct PublicIPAddress;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(DestHostname)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n    )\\r\\n    | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where isnotempty(DstIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DstIpAddr_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    )\\r\\n    | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n    SecurityAlert\\r\\n    | where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'ip'\\r\\n    | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n    | project-away Parsed_Entities\\r\\n    | where IPEntity in~ (AllIPs)\\r\\n    | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DestHostname = DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'url'\\r\\n    | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n    | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'host'\\r\\n    | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n    | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"