From 35e98372cce76a7d2584c43731589a8eea829c93 Mon Sep 17 00:00:00 2001
From: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com>
Date: Tue, 26 Sep 2023 16:39:38 +0530
Subject: [PATCH] Removed blank parenthesis from Web Session Essentials

---
 .../Web Session Essentials/Package/3.0.0.zip  | Bin 50203 -> 50193 bytes
 .../Package/mainTemplate.json                 |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Web Session Essentials/Package/3.0.0.zip b/Solutions/Web Session Essentials/Package/3.0.0.zip
index a8d71c1bd1bc3808a669076aa7d3c5e39a47fc53..2aaa27683fcc33b54458b828c53fd6a7efad3147 100644
GIT binary patch
delta 24053
zcmXt<V{{nd_Vt4{W@Fp7Z8o-TTNB&1ZQE&VH*RdR;oE!f|6Oa=nh(#%InSQ`J7=G)
zaPWk1aCik7@NcLfARtg6E}HBO@FW=UbHUu|`@B};#MK}m(oK9A8b1N>liVQx6OkO0
zv`9m2U*O~sCnA0C;*<6y?yo$F%KLM<_a!`Tr6b;G(aB*HhI)PP{tSEc!!RWD14f;A
z5r1fa;P6O<zZW>#gglZ@l%C70(D5*c3MGTjKvpr?K-$Jv@%U#urrpxl*H>H#zY@i!
z$2hwnS~L1?y2GAP1_QtW!Y5i^-dcgKOWjFvb+n>xjlvv4$WBDmltBMH<a0x^JV$VP
zSA1*~1tYuBN8aw4I6RF(B2+XF+m8a-{F8!b9p3!lD;31FtfOhsqV=Xv@nq{|yQTz&
z7*Ytb9;H-EIlWv2T4in8M68W$xzf>YMeI_pqc&!m`+TTyg&5FyZ%+l|OXYObUb-NM
zV#PV(Fc<;(ae&I$3-_(SKkJ4udqDpyUhZqFi$~t!*;aJ&=z)Z*y|3QS0j>M~4L@<?
zRzH1Z;r4IKD0=}r%Ce>skTi~;t`Qp!D)xvoR+D}}c|(SP$vlN~U_;p>E;N;e<Vh9r
zyal?~K!iBEV+I_r`X#d>?i4tFSwRi9V3ZrtK4pVC>`FGuQG6T020so9Lok@p{ngh2
zhyD$*fZJmZHIxM^)DJh<HMC65xNmgy5Yc|lssjvFog@fr|3ZjB__cBo5eaE0!PpoN
z0ek+7K>;Ngvm2CfI3YbWn5FB^zCM*R(t9*87n4l(935DX5Gh-|?^?QQStStD5xyx1
zFZ4^sriMwhz>RsYC5R>o?UrC~hL?d(4#*bp+K&;G^&X;!dw+og*@tfhF7uP$?@}<p
z|1t;X32~NG6XqrbfV1cR!j|D0h>H!tvgP<1lqAI8V2U6s$Amq48xI0N^~&UZY=`ys
zLV<t^cfey3NRY(Dr&)M!s6h#d$pQ5h@pg+XA7c(faSGzqepXWRqmwyky`3gda^?E6
zjNW1w9oTbv`-8hR!`e(FX=!FHVjTVSeX1gv!k(UF9xIJyt<y3>sD^9*g&WG5f>@$l
zO~71%Q0c?ZO!T4omqFpJ1!}P4?R@>J5ENTBG{C4vf)ew^rnoE^HdgWN2N5l^t-@`u
zAy-9qIDhLjKW$SU`Q~Guei8xqlK)iaj=%1^FIeq3bKhEnZb7t1-k_W2TT${(Yvl`b
z*|rMq@;TIm0Lh~)&NaOgxAwTEM{xDqGc>Icc(v-ERClWtOV{r-&DbK7-D2m26Pu3i
z3joOCcb5H!<8tl5mT@hx9a1l<vn+`))cxehzLA+m?gP7`wbrxvh^zAH;9&OOk$EG&
zKiL8HyUunaa#r?N&^DNASSb;^F=8{Zv|p|dG%N3gpwF-wN1P9$HFY85tJ8(?V25lH
zh})GcH7U`=w5xfGn5{_?2J2veoLOqwJy7bpwF*k9BJynV@^|rVQXT9-o*)39=`WAb
zi*~t+5mj;GU}JF<dah0bYg*b$?!eE}arS8NQf_}ud!8@sFnmqmUH8GLY>j*G<Q@#Y
zhF}w(wVEX4Xh-&nZk#oY>g;z)6$I%DtI&M18BQhJBu@lQLWIT(mC>N-T!0&!3m{#8
z0<T<Ao;AuS=9@KdPNAVHRv}m~OYgF)H8CZfQyI|sgoCXoh|io29TO6+VpDGlwL!9p
ze;E^|>mx_50;f9oYkve{2Jd84{UkEL-9(s?A~pcK2g$aQvs>gG^rC=9(2X762_Dvc
zXTacmPsrXQtj22yM*uD~yf(dT6nH}zJ5M^@t<Q2KaQ|&kGA4c3wcV<UC^ufofsbvq
z$r5f2L(>0rk|>PnssEd0r<=#0F|Rt)<8paz9I~{cP<sWxhbR^%tre2H(ws(kL!A@%
zA>~o%zy*ZcgXioI1Mlly5`k|Q$~zet1j^IyC5Qt?Jj%*Q6;TpAsK9)1B`_Yyph;@?
zl+QQA0LZb22p_v;*~7(v>VRcM$aD+)4Sd;VN7SHopt&4@410VvEc$?Nb$c9p+C2#4
zESEiRY@Hk#?bBQ%dg{bbzzg*L&gU>V(}NG1^F9t!e1|TlbcvfCYG`XABY(|gf304u
z(IxI?0B-ko9M2oCMPO%aflIKMfJvK}s2IAZz3<*~IQ9lrJItyvHtM6U9WArZ=$cN#
zy(9LduCLlhS5A%U3_J@Q8LH<e5FbuNB|@UL{LXQj%N%W;Y;Ezh@%?0&E(T;eG$!qk
zY;Tphu=4ZN1)fiIb_+p&oCdZ0+7`p;Wk{*|mU<Q&Wpi3Gr^)4h0I6qvK}_ew&i*M_
zAc>?Z6eoGtcihO;<c;6MY9Yv5z%AMTR8xTUKwLj9p`)&5Y;pIq<rAe*`n?%hye4EE
zNxIbrW)=%SVC=8hj5RIT=HAk12t{CqeaIkxcgzMKtNCRakD$Hu4&JOZ;h8#NQtF9*
zCS~Au)+uZw*HPFN0GxN6xQI{rGj%=`n;}RrlnQf^PYc%&>#NauXN}Eitm<VGQ91^X
z20fH`h<CJ!q@_9amPy|Vr+@2((t!$GPiB=Q%ionF-iPde@teKjg4rf$h>GbW&Qda&
zZj+9w<@kcB+Sz<vc<(fYla{}{KOJpytUCtuMFr^Q5%ns%fRv_Vd6(N*ldF0er-KKd
zYZ1SBWh9&co(3J#cV!JId!AMduzfz%-f+iq)TG7xm7UTQfJc`SOh?cX3P5W^FrMr~
zVnLj(!{Z?oMRTc`^ZlhzW{C&oIafcd&JnvaTA;BZ68~Co+{?sHzUWo3M6yHd+6N<Y
zOmB}udxYNwR1?!|=fU}Ij(LgEj;w$wtBq6@M2UN2ntb4Q-WIAxr=&5qech{_kDWE`
zUc0$F@30|iiH+_i;M@nXU>CU4+taRm(3Wov{fb+p-lr%7eGl)NEI}yOi1u|WjQw4N
z@ust95NbN}p0rlCM}Q-EL*nm5U!9huY(3OU*AE#2B=1$C6))tW77G%m_#>z4A@~SV
z=*xl3@9ZHJ?sX7O*p|I`B+t<^l^4%Ap(7rEoT>d2d;Vr;?WHC^=pd%r9Jq+zWA_*q
z8GjFB8En)1M{Xie{}jeT+o=S&!tb&5@#sST>W$uUQ#3wHt5mxCr6;G15RqUhK=B{~
zQ+u`#xXu{;-V%jkXZq3?N`nD)y&I4ZNy>?EH(^DI3}7E)|6(lM^|QIV97<BY6&Kwa
za8@|f9K8>fC8~^i`hlruK{T$5<)XJg1GfY*6ZB}IKSJPk%dYSM9|n?FRq(~I{!^+|
z=-0|9?PmsRbmYY*+BT>D=^xmZ+o+AuzsQ)cz|r1d5u?-lRt4W_s;c?)y_`9O&WeDp
z5l;$PR}lnf4ViN{SBP7M7)nahI;}ca6^*%T>3@GTw1b+u;fBR{D;@89yS$)_J)5Z+
zDR(YumHLSS6Pf4xx7!uG+pu>Y`@O$6uKD^1?ltGQXc&UM>Ow*1rnXqzgRYA$;%a~z
z99|yf%07NO2Z0|~6j$(&Dp%2<*EpZ?A0GtQ8AG?a9%)DsIiIQ^Abt4pZ_-gW!-14i
zb4CN0Ylcff4aNn?WT0t|!}IJs5n@5eL+!>c)&&@o-+yy$?!;1j@7Fu$On_XEgnTC!
zmvG3@?WcYW(!Q(K_g-(G3lebCZAJ#dw&sE&4_Y|HQ3BVX_OTE<9%N#wX6))duGqMq
zLXxKUANgW1^5Y0TbU9;G(ixWy4f4S$2<?U(F;tA;RGtj}C}QLQjfaxaU(^r0xTx1z
zxu+uNg16r!Z+gIBa)y4J)%|A6=SP)u|5HzMr6EZ;IVw!k3*G348#m(kLq8Ufmu^r7
zi%$$#!VnR){Koi1KU5xsAZFXe%v!h_R%ww68{Gj>Sqr;?Gr&^H=e0z~O$;tCYCST0
z?LU2e1Fy;;d|Z}GE&&XIZ;C`G^<x#z3!Ma8uiXBCq=v&bz>W=LRo6k>#1)+DmmQVg
zS+NH*1Vu`-z1tU~C_4e!ktG7&bMUchg>Nh;cUPcAB15lZhA`8_qbS?X-?^-^kl7Lo
zs~tsEKpLs`l#}!Il|Up&p9_C8S-0r!T0g(EqVp%kIY{=z^N?z<?hz50)ADIxek0bK
zlim{sI~FdUpKQ+D3_);e<ssKR+tjgTu}58gDIj4N?w0V2=~cy^rIZGS;}7tw#sAr`
zt%+c!VxPHp)4eOe)!FqdgwP|OV3*X4;rEqaQ$*~R{5p#cB&J3ngmC%kiUBv<axQKJ
zTx@&@v}N}-=5D|(ad-TsM+eM7IhlSL?$@%sn^x>6GbnLsT9QGhkO1S9pScXrrDhv~
z5vs5d_2z_q6pSu=%LrgofWBjI;n}xpr({U05eW`$AbRL$RD&vtB8H&Ki)O@(7s*!4
z$IYZs#9x@knbmoAPj>!I2soFinu$2IMz5!S`Nrr1JGx@S{;2c?=M%j$R{a-U+<(lk
zwUI56;w2;eg2#?s&R>y76N!!#+~Lr?cwWUJv>lMgG&yx^i~vj$lQYB>-wD<8+<@qo
zM9;l!@r(?`K;A~Exd1=U{7NZ~hts6WpT$STumS#&E+7p`DVz(q&M=HsWqyN3_k-xn
zyI~%G&jnT^FrmJG@uq-a#P;DSWIBlSwyxSVT-xH_JoKM*YZo|&%tQ$te}VZP46HeJ
z4eppn_T5vOMgsT5FjP4{uo({6VHXjaP@QS{OXIGks7@5~RQgAgGpVMv<SMi>Wo$Ye
zuvG&D){FHi$dhoBC12f3f^{nVa2>W#O~<_9Is60&OM&a$=mSs@MkpqPG;x2>A9RlC
zzmL$d-Zi)37T^5Bv2>GzVd_XoRHEnk$bW+$=P_!B(f|%{#o>caCog{_qz_i7uc+u(
z6qafx)eeJ_IP{frmpe~Z)waU7A_=R+30puG5#G_O-ey8idrjC?H9_1g$=Q@0k7kW~
zjU7;pYn7yaH_o{h*PE*%>OA30q?J<=H|t)QBx78h_->2@=0(*D&0G<@E+7RjH50NZ
zyRh-IS_&vGJlhpJByS&Xz1d;B`sB=r*Q7>d{k$2PH5iGU*rcy6SpkKcQgbfrA^Tcc
zi{&rL8=fm|t}tWlU_%hrl*^xu4g48Og2~J6Sq)mEXK?ks%vdD+;rDdP5{3lREGjrs
z7pC?vah8Lh6!d=M1=55D>yL-tdG6Rv(oNsjGh=}tBZMztWQj5(>4nZ}O)i;QFg@JY
zk199`y=7q=WbNaF-YF&9obJ~_G}8JK@W)nko(eKc>9iM9!}XPf=!ZmKF|}%AYOt0x
z=u>RVfd`(2c4V`O;lBG=tHaTisS;&Em;f#!cdi~!RXy1#o`GPX2OW3Z57FRsT|d;Z
zf+0YV_cg9x{2)p;mVwh=A2%s}x@e?wAD``I=6bP|DLiG2WQI<-+-1$x{ErQOnaCcQ
z1L61mk!Y;}I7De`-@DFSV86pm4Enc=*jkGcZBnR%#RpHMz0A{@i(YZiV^9zzPWH_i
zv$IXn%xAT_caqJ|yzJg%9{Dr4_|l3XxokigettknaVXK{kd@FiL=$LXgOAr5p0d_;
zXPqriw`vE?CbqCL%HvAQyL0znUbw>pWcuWnYRcA~d&;v4OMlMXY&c?W>LEb4vnd$H
zo31in+U{<3rIrbz{tmt4hMo|#n{b3<sWL2WFtCtEvo3I4vtqV6m^v@&g307U6bD`y
zi<<(8(ctkV2RKJW&%iys<exLS$4!m6_BdE#pu+`1rcIIjnAMI8E=i}Bc0i|^^RSVf
z12R*!u*5c~8AE(y?KIZgLdTo5Dl1Ue)3tQb={y`Qbtuo~D(9hD0=jjo_I_t*iA}<o
zrIcl}$<(QDYaP}l*~Z+hm}fqz2?EahucTkOD}S0>ay>YIVtQ&hjz1-nJ#&eF$sT3n
zgUI78@2^KurXT&)8eqMiX5Qj0j~LVxr_n}e_eTE9JOSFx!>s716tVy&VmwPnMngVX
z3TJm>WR~gENQk6*+`{AD5#FVf&D2t^Nhvd$0cTf?KF~=1GvsE$e=#64UJbZyO0VJg
zOV(19Uenr>?T30Fbo^>;tzqqo={z6C^w{58XpRG$(_nMO9@TnWv#BX1G|L`dNnPat
zQcvlhkgNXck$ef4h{lQ&X>WLX5Z2=m3K*4Kh<Kasg=+)=4HyfWeX-mRJY|tHCl#@`
z{d(iX93BP=Pq#}DiSuRz=zz}pcf5CLu-cROG=IF@<vWtO-MVZVe5KSFVi%=bFW!ZT
zx9wpUI-BUUqz3*!zE{YoOyFoB8E|LKakqh(_&+}(PhPk|);l`c_gfkDVx}6B7S*XO
z;7EpE;$1~ODrOM~<}8~lc8!}mVipHI*oiPNm`paLY_Qq;Dq1Zl#eq1SG~IlZxs(`8
z4y&9$+&9L!oT+{2p=B(DhuEc3f80k4nmv+k<XPv;xo{G-l8766LiR6Luk$x&jB%4U
z8qQFL5hm8aOEgcN89FX$_w#k^%$J3@nsi(hYPl)XDmc(29=T<BDAP)JJrO79i1xgC
zgPby;Q+fZL{l_Q)ndi<5c5U30ZRJ5u{94ji=Ntr7J=jN80Lmu9Tfjd5J&98nRi&}D
zw<!I8e3F{PL87r4c%Anp+=oScG4TLWJf&M`z2M+E#g9aPAE?{0K$!yZKs8LHD8D19
z#VN2g#$lG=m{3*F5oBiRcu}H-Rd&0T-24x5?f9iFq$yyTJ~skq)IxZ28+VzYPbY{Y
z(o<zD?B}>jH&Ms03SUOGn-k2Rc$H+uhma#LyEQ~wmj<|*bP}>4l(+`caxh6wsw>jl
zf5&lL+6#|p;-XG7T&xQRSg3spW0U9Q@6hG6AakW5NMdP~{_cAG2}zzD#)`)MvXb<M
zs5KCWa>xUkH2;*lzfe{tt!+po#;er|2tFdH|0tuXWs;hCqQc1uEk;;iq8pGE%`m~@
z4l4*zWW;{XiLWKtl`LU!juG&x%C#9s2}j0U^Tj}HzJ+JYB&Da0cB8DLn^y{q%mLG3
z(8_-x*0Rk`ehpew{8QL4x~TwaLv%pGx{NShLADD-`}f?we!>Ut7yZtw7%;M>J7>&H
zmD9-KIltR-KH1k15Gg&z7Kcs&;YCxlB*l@J=9BC+oIIhFIwfX7G$$9}d#u+q&FBb=
z2{<$(SQ$;67O3t)vu74E$8OPdMlv@jCL?0sS-uy_k`l4$of#L&4s;E`8e^7{?YUby
z+gAa`!yOgqDK?Cs5lFjtYCsjbt{k*^-NZ>m^?y}G#RMF`${$Uuul*p5;1uJyO%6(R
z)c8q9n>j5dl1;!ihVq<wPR|05W9d?Z6%zBU%Zwn;bHX5<!_={l+|H}PaF0eNs?yj8
zInbgURJ*<1qhPhiL-B3F2G{pvmhL5z&{h$U)(_6}&mkKdI5f1<kbg0Ac832c$&ig*
ziu~zB8>s&alahB^DOV%}@%Tr;z5b{gLR9eATCUyNuM;}sRx{SH@ad%e)$9fFnL`=v
zesVPLtYV#3^o0fyKE;gGWfYR+(1iejN!Cd*-M18TAcgmBQm)`VS(#{2e^OHQmYN1Q
zKd7!=A;)(BMYE;{tsjM+^RSUr#mZdFqotPW&<9hv3p^zgg3Z#u_s?sKnhw)(@P~!b
z&PcAq<PcFZq)XJs>WKPFPVANPiyiig7H!AO^PUM(<*y^%1zQ{la+d9$pT10_Nr^gl
zp?7z9?)4s-R1#m?NiO2fu=J(D2&f%kVR|HUn#K4e!9DWVv*@7K0PB<Zs=Yv0Ja7uB
zxqdFmv*M+lCpQ&oeSZY{^5XV3vaww=sH>Gj=xd~EfuDgd)AX6CP_sJC3pLuT;f+<p
z^4P_WXENMu{IWXIjA>GJo>rAr=KqL^E|W}dh()4_H<rh|S2AttKt>$sG&xH<$Z0%!
z742-Ul1%$9*7=Ud(IUV}tjoO)QdgV5bCMC((X325y23t1_Fn}sq$e_>6>~PwGP7$k
z)YFGCP!OW)9ELg~!d9LVGBQ}r-JeiEv7u+eJ#EAn;x)Mq!6*Ak1dbwj=*0(vPo&Nq
zPLrF@WvNAGUTWrT04N}IS<KwA&Ql}pJ+9f4u2x&s^KB<R{}L-)*#ZAWSFRmz2?Z^~
zB}MO%gOry)F?kcrtsJK(Qc^|O%|eWkiqdxDDM?|UI3MNzeS%b(Tn}`ThJoglnvd6I
zhj|E7g##kmX$X@!NLvL&gxg2xk&((x2u+y4i%(gVUaNrI1Te(<UhsF&6d9I(iLL)m
zOY^z2I!UT0$&wC5@b+&CC(Dd6xzl`SZeONb<QRnPO>OB+0ET3U1R<|AcDjm(=x$b0
zLUg=CxN3SD8AZ_c!nN?q9`b@C%(!bG5M=gv$U^^KQ?>w=;RwGjH~#v=yyvr`CD8Kj
zE@E^C^ZTV9IS`(Opf2h2GU7UZq*g-*AEYLKzo}h_C9Rv14Q9Z9(dd%gk9aubQ|tcF
z4GY<~yTh=*p106_bDrjM&T#j1FwyYk5c_fVY4YePC}DUgB?nNKb>C7URGbB#7RDF$
z4F|BUk>zd3-`=Vua6eEX)KhowQ3b1;pc)KrOo@0O0u>EdPgbFB@>NE>>2qmx>as#m
z{DSYJ#c!3%beiucjBG>jRrFyEn|MS1(X1~8CAj4WVLl3o2vm{Dn?rF*xA++W{WQiz
z`E%^xvctYOd}uJ2k>Y-&L6nIic8aL~Iy=njBSSBWZt4!`qefPDVr~JjJSHm)6NMj`
zis-ggfRHln#9(j9j5Lp&^M<B)vY4H@YI2BXZDeD4AuaP`>0Y^>xuqhyC3Y^?gb_W#
zg3rK@46bCj)UhRoaWK>AN9fewRe@yasI<5Ee-=iE016LgeDh6@ud9QMFzJgDsMs3Y
za#6QZ6+l;*3?yZ3x;;*>G8Pe=i!5+ZrXoWGXcGZ<y>)m*f+OgT7&lb}2^wrxoO(m3
zkL#gB_M=!Z*?iIUn1+ylUMKKMcLuME3q9f%g>s*A4OQpu6B|9}CNxf;tznd=8%VM-
zctV8R!+CnIa-<C08M<`{haf=4An)$CR<qB)rs>9xRN|RHHl7)$i998|PoN(Z_CtFE
zI4}igKVG=BRAUWD#r>ZnJY*XJvHR^|mEACf$Ph8@0;>P@lEjqGgq#FT*36he_^Jza
z3_`Gkm@48dv53f*byZA4=-7gp1~-30`O>Z}A+2lQlB2N4qmGNRgG^u+z>~u)!}hBo
z+W4=JN7>i}om7u;nqtX-LHT-cAtMX}KiEvdvh$jVIP^u>)rVZt{Pg^Xa0KmEof!<{
z+X)#}(sIjdf8j}JF|lw2FlE%pDu~!=1ksTM&{Y>G7>JC|LD;ferzZW$1+4<RCAn5P
zpd!-gq!^|KPsRQ1-*)pGR@D$5kznN}^?~f0>(e7iFv|rV8eUkN)h=90TQ6lXP}v{%
zQ0BBikrx=H&ULz6M)-@GqNhgMQ=qGq+OC@wkUu%T^}Q&&3oq=jox8T$fFQX_8(}Rn
zs^U9OE)yZrEc2N;C~IG!D3Sj|p_Kd?^(I`fN+I#Waeb9a?*=D4y;PFKFprtcewVdq
zhpZ*#g5rAeC$(%;M`1wWcJJ>npxc2%@)R|~bfhflgx#M0Q+TO;NG{S5qltKG&p>*h
zY)sr}7w_ZozV(_fw9R+6(j4Qyb;I3M)ACsJpU&R29=oY|ZcIC+wDsJznxDxHEB4GR
zbYK1}*VT<)%CbS9&*!OX>DL{WM;T@@O=sWt>$j9IU!l)uM1!7}qTW$p5$J&znd1YV
z_pJdBh{jNxF!QVEou7&X+S=wm|E=5XTd~^X@OKYc-HA6Yh(P`W_y~MOsNYtfXxlNT
z72RN;H!$|j`G;hQ`O%QRz@NqC2#@xbFz3zIvvRlF6dm+HciDsJVpvXO={`Q!b<m*t
zu%|i#1!00SA85UM0E6N8&dlsjp>S~$|Mb!JXa8MtVNzR7L{KTszs(1*h1h+oB4Yg#
zn>@d9jE{)&oziLh?cR)_@FKi9s0zRlaU@8*kqovSdvk6QrABtWIP?e{jlGfHC$FD#
zE(yE6cHwdIX7$>IIJ`g=JOV^K9L2$pK36pQpbFRCVPDI?03J+b8!?maKF3$%xU$;t
z5q?U<QyJD$kDuDB+L`xE2>sl3^J*|VvOhLRv_X<z(07%rIkIfLvs&U}ZRjOCud_Ja
zsl_^%Q8IvE>kneglVZ;kqtB<lF4dc(2QEwWVYBjwQ&CBKYpaiHi)Y6d#iN?$-a$1!
zU*=$otdf4xfZ8<`!A>p9VL#6bxe1v`);Y`QTe_p~ktbCZ%a)2AT29__#uXVSKQ%@9
zhw|T-#GeB#RX#pv%1B1%m-}zOQuLRKp+0Wva-ytWf5?KtYNJ(4wM_CrNVzY3KN7zq
z30upe#!!{w%VZqnwKo?^XBevqzt!>JGk~;#tIu+h1$v1QhO^<Wxd_MHX^rgEn4+yE
zbk<J%#bNx1k%jN62=@sSAG|>;&JMzY`)=fqM!MYW=F){x_tJ>5owv;D`o|n}8^;G}
zIxiDs*_$s!Gq~@^vWr+7_Rz(-A*(@F37?Dn^>)6Fn3|3It*kk;U7HnO?Tkn(lL6Vy
z91nF2K%GjQ`hqu6UZL5|&~E!#QQ&4@Hki+aD7)_nZ5jdVlaa^2t{&U+j#?*&2oj2F
zt=G}AFg?f(+AJpqE{GNBe)P9rb?i*&8vMeg<|Y!=5_MyqibtCJhfm{M+-}lVTjkfV
zPvg@xm)iPp;>HZKPh&@pD!*ov&S6rGPh*A`pzNqp*TkA<lNoyaIL^OW`sAaxG1V>O
zW&7{OG|K(EG2N|@DXVS+dK)a<Gn$^ZO{6aIh5W6pdK(wA6@G^;VhzMIJazu7>}-i4
zP@HV>6V}%E>#-8_Go+X8Aps%`GVbeFj%AnIHu4)_^eZ8qE_soQZtyb=YI>U!QP$P~
z=p>wA;5sin;&rDj0UkPDn0kjDOWuTQm2YHRnbX!n8D~HBs_kK?oNAR$TMuuSJ)Lgb
zh|VG2nn%I9K|i8zqI+VQ8M(f#lOcPC32Vqj&YE#K&eQdr_@U)5ZhXv2VntTH*HHEX
z@Ftmj`Y?sR>QNWWwJpHoAEx&zNVQ?0I~`c=jTw>dl5yJ53<cQQnkM?JQmfvpQUEq(
zd+OLT*VH3@xy2i&_o~U?ez~)KnHla<Usk1lQms_hwQ;~>{aqdX@4nZ+st*WLfh<la
zIobTqd1r=^d%xFTRhn2zUT4S4Drprhd5fCUFW3)>gTFzhk(@{s7$<H&TlWF`qY<3M
zINAEX_0uzqGZ@t}$0LwKOlX+AM;I*1t)cRmn+rLj#NwEvT+9o+0pGcP$wBS$rc0u8
zY}mHPqvcWfT)Ah09Qsu}_}uD|+}DzCG^g%%%JJ|%k8M$9S7X^zcs7_nyJc2*Gq8(Z
z=_Q1-C3Ua1V^*q^>ZrmhV^IL~qf78Tna}t4WzT8EqfWJ95Aauxa1mzm@{1uY8-5Ma
z9k^X;kYxg!3ka!|hB7;~L9s=Xy&T<<b=D(3YzC!Ps^)6?YTGj{Pj0=Tw>LfC6lt~3
zc0Y2xc~W+izow3%wN(3#QJk~**xRW&8V;35<g$HV9^P{^hmw}+aM6LvrF12JN!6%g
z1lOV}sYNTQQPZ=C9xZXMUzuxR-wWCZ5s%Efv>Pva8dgh5lC^w?>3$fNi(wMWn_-8v
z9`#!^8nbjp30{{8Iq>{=Ez3>%^bjm^aLt?y+@DQP$*8bza^H_PQb0)~%d9d00$#zG
zC!wz!?PTVv3JuaZY50KYxn&MfS7kbHx|+1#VDAo9aRm*!dz2fmq^B#`1kSLX+cL(b
z;ld{ztp<v(iicL&qstyIn6)D!Rcbm@%N9GjMkRcZ|Hyx6IekO((28|ZwRU7;IsN~@
z-<hq{(!)%Bf9NV@=Gc5nwzD{oNx6@7Hkoa8bk;-VFBX7tV9pB<vQe;%$ow{*WdJ9z
zGx1lzIc#4s^5OS7H|~E5=zP!Nz+xIz7l+FGN<o@aT#{-X+yJuhG$bvfp6O58zPRgy
z*<U8StMmPs4ucOO6DC_EZpU{@?0u|}T*sbTM?uBrZy#GPyPQ@pL-=ia4SCFEyb@<H
z*e>5Z7y&(220Xe1<d|&AB||%G5Scp!qdA6p_>0#c++7#WvuWOt=_l^i`t<Cr``1if
z;eR%s{T_6ET!ZZH<oHq3h6mdcHj;Ki)%P|8B*r<eVHlLi>`Bw7HYrDV6<Dzy3FL$%
zNVAS2nstdIdxeoxzXrhR@IOYsCao}V%KCD1?g7PIKmO4u^OiTU5EiBj*fhhv59PiT
zbs0WIKfzrym0Z!sH`M0sxaO}!UYTX)&9F@8pId~%9O#6-cxAY@XB0@b2fKW7E=g3h
z=M^aW``G?E;L0yDMUSfPl1AR?1pRnCAKxJ3Ze34Y_Sf|}K-uW+aP+_K_l$6Q#{{&$
zVu3J>^R<9wtj4i?brg5J^PC(aZD*m-Q}vs>TkTO$k?obxDRtD!`PhDTI6=1d;k4z@
z1D6s;hH^!$ZD)8Akj^qX^3BzG$HwTibzX0#XWv@4WSRJRgo+ZPBjqPX^_c@#ck;el
zFF}y)4V*9)A{i8g6I3*^KZ=AA&eF6T5`dHQYUXy#_9a`*s$)Z0F3H+N$ps7A<0L1{
zB?C<7zJo>8scg+vv>Z^$2(hn>tMt&u8Bd<1ZO1b_dVlbK7uVzelNN#O?dCLuNtU<S
z24jIG_t(mUb#>8K_FNo{>6{<hxBekf;sf0HR#8%g7)7LnBz@a-e>U{j`8J+Vt$&bI
zT_BYTo=(MaZG>S23n^i`ES;$B@fZMAMZ%VBk);^UyWZYhMWUn>_4^?<p%z=VloWyw
zp}!S}Yww3%!$$CqBLI)0EMY{D0MAQ-9oDWLg4N_e5gb-u6azzBdVT-VX3LkTnY%|E
z6k+tkguPbVpU+?)Z4R423>>t;5YR!3xB*Fkl88f&a4=!3h!i9K-Ik+iIcoGDiWVLF
zN715;ld1_&s-(jIpQ3*d{fDB7d4oC3dS8O3RAfd7{sYm;{~-DoL35@m$lxFtQn;PN
zOF3H~UM!>$|19qVVTke4Smp@6MyWJ>wakssQ8SA>(j;CAAc=ynOR?w4BB|v8%|?lW
zL?;rLFchxXgxT6JM?b%pGxbWglAY(@`vbq9^ivM6{>aakHDLhBmSclg3UYSTX4$zc
zqJMLMf#l4fXF+NoJRxEFF}9^1S_1>dvEDSNl_F>416);>lu>32_hPLUA+)s~_O2Q7
zw#$ImML<dg;4=F@NXE+G#lA)OoR71(S;)ULkN-WUkw8ZgjN7p~;Jb(hj8={Qb}og-
zWD1odOM2^>q(JycI}6wfBT8D3@8^S`Qvb;9S7Q{s#g|bKwI9M;r_9UnaOkimgI0W5
zwOkk<SUk_2?k5-t8T$ED9nMg`kFRNLF#*Gopw~nUFbitqFU})9;}Jb0Fsdk9mDoME
z?;IS2fy`Vf3|=|skA?t$Q)K55)HtS;wdV85b(rdj-s8#nH}as{y+*C+gtJ=}7QQ^Y
zU5x0FX_bgHQeA#?*=<kW^&&!xX787;je{!xHRQ8rnNsSxz-6PkcwAeps}-IccU0Yy
z3vJ#zkj_}`)cf|xdp^r|zIiE2adI#FiCZq~SU$N0v)ZT&8nl>(HYx!@hrqnFkVw&m
zX@fE~AlE&Mr6Pw9=U+M+jv#Q0LYUO1Bflqimjr1TT_!Tdx}20=wI6yAJt|W;L}a_)
zUnO~YzvD4}C2eB!n^c=(f-lZ3A!z)xc<aIi2y~p9_OdmjCd?0W<9-WlU0q$T_D0ff
z@+eV))iDuixcU5i?Kp94y5IGEptGj043vM({?JrgKTX}4W8QrD+oS5|_0LU})xAGt
zc>T{z3HXMFV;q;~Ez2<Faq#mLBwoGPfSYO-R(Fac{8c-Q*H0GVf3OE>q$r~h0j8Rs
zrgCm-P-_|<T?fs}{#9oR3cqM}%OPgjWJ5o(Gsso=h08Nq&JzLWhxT0Jc*~hDB<sB~
z9mLj<^A{iU2t?4W!Y^6p#*@38FNn{bL+`KZCoglEZ;BF|NqN7%TkK<dF%5#Q%U|sa
zqo{KhrXMFU;HcsGX7y(=Holot0C!ItE)i&Yoh67)S;&q4$Pwz0&T+8Vx2yQ2a($Sw
zob%@ck6wGY4^vpWu2Z#)e_!JRJlBax9*n{}7KX>fNV}lC@>%{4)gC{TAlJG^FdbC>
z+-?3|yYl=sTrhEIX}~)~wDkFKhU*mx?r(J*oAdelxf(~2Cy+dmpD%W13J?hnfWIR&
zlZn#hhxHJA+u`n?oeu*(Fq{JOByk-U8Tq+-EGb0x6+u2vN`0wdbfh14DLt^f)bU@L
zzq}e89UXPv_E<k3D{q0Un4+jC3=E8~zmKymU-v&g-)>$%mtQ`gK0d;l-rDxxu5X6>
z1h95?2GY9T5cl7Jp1!Xa;PsPW|Bc*-tLuxm*M0!w>$7k4ndj#4s+XsC#~1iIKYy#b
z^~LGU-U4uTu6uS~iylc9PYHM)pW<o++*s@l!u7wpT^j}pZc@#^`=c?M$Ao*pHx*Js
z;6c=m8iFt|h)IL;KVs({`kng$$9}-GU!QMZpL<^)&<8m50UrNeE`8UV*X~!(UC(b<
zAHD8<J6!@6+XT&5h;IL$YsB?uNbhIJw`WMmXUMQ;NQr028Q(6~o$U_$>+QCU=gXeA
zr%&IvKfS&lJN%vYLmU52y?5NMH@1Dd-1}C$cdWOrFE_6*x362SpP#OtpRS(~uAULD
zpJT6{v)^)n?GO25ztycu`;P{F`xbyV<@WAy&-zCDO^FgA%|m~j$|;J)DRGEfR`!7*
z!az6?z8F_#5P&O-XAtx87wCLYw4G;>A^dcwr{5INdfXyNRx`R=MG!|~J(soDdx$AN
zl1K|wUox?;Fk<Z2>MW0}`(4P3j5_y&XD1$uhc6ls>x2m>+8ZIZ!}n^iVL@{Y%-cjo
zJ~It?TTxvTZfoC%1o=VsSFll$Tw7|sFoEPppr^+}>OFgiRCid(zVcxBwbHz}=cb1J
z50WqldAJEgYRs{avb$4L;&@5+AtiP3xkfY%((lLv$%?{(^arn)rs&X2m*y&9eurkd
zKP!WQ(JMiM3+eH=w@yW7d7;5TJ5U7}1FXVcm)DPVmHabOxcx6(yVS*x64WM0ZZr!t
zk>U$(YIlU6zj*{z#SyF>7Ln}9qv49qqg_}R%i9D`(x`dZ-eCngg!C)1f($W>GX)x)
zFrCiY(_hcf8GjdrFEPuUKSO!=+G|WQv<-g(L6`OW#s{-W;&h46veZrujy??yDfy$L
ze^MRU0?khoDCN~a%dI?45l5hx9sO?5!%-~|yq)H7hm3qKlTZyczA;W+l1L%`qx>Db
z6}A(FzsTwr-hP-Vh2Mt5xVE6-PnZ!b;*$i^Wi^$W6^7U<)y5;sTb9~c$tIm`MJ?xn
z5pudTenL`KB-j(XD8c({SOQ)BU)5kY5Z^9Q;oA(}H3QiotY}%AQFJM$`VF^wA*UVU
z?MSNPty!^0+cS$x!Og{Vkc2vL*)>X|)cHdSk<gIg<v?*!u|Zfju`O`Le-|n`SX)c8
zfUPmG_ZpClXp7$0p@wpL5(dDrvU{rmjNWu+<qCr!Pz0`(h!NkgX9|6zB_qG01$Bmz
z|D2b&&QKBM{0Kd5Rdpn3!1gnV*mp_M>4ES#DM2rfB1kemt~aOYTE-`jUh+ttC?d<1
zUV-sK27!NuAh-DaNadxBCZIh$TWj}zv2mTAZBU5fFmBnj{`a;n$;dcsx-5$wkZ}@v
zI}lBwW^IKbrbnQ9)y9=n;l&W{xI`uRi6$zWw+B*HXhgtE?G|dWfVFR=I7$YG=uDEN
zM*6&n<C&FI<il)0YE6|_d@<NQTT9|A)-h<KRcy%)rS`q6GOFYkJ|XtA#rPjG84w9H
zkIE(OD4c2B8+MXuT$~AKPOhczfENyrMLJC18t2}4hKal*48ddZ*{|n?gTpZoGqm2n
z8X@{gY%*}lFzI5vOCdp`D~y#*kCcizYM0FxDrH-{vlC$!hwRPC<ujYxmF4nHI%vz9
zVy<TYYlPhuaxaSVx~m);33DC6T~19^+E|#E1~mF8s_7QZ&E!xwI|D)mIeCH%Cp*50
z>Xu`t;<J2X&J<#<Hoif;P0A$@E7W7kv&~CAZlQjxAj;zduwG08aJH61+H@yL9iV%)
zH|&ZwA)ONO^3bFacH?F22cAB@R`kMG;cc)8qsZj9Azr$1cD_VIb3@8O9*T@3qE?=+
zBpLhPLXu}QV3dD1!2>zjF$IXO<e>XZ-b^FbrB^Vipp|&D0iSctaKh0rr+z3;)WXHr
zJ9C8gK4A$@Vtf`E#U7=2oe+})$r7}8ClDq78wiTe3e}iWnX!GI)Oa<f2ug5j3`8Dg
z5q<WxODvzhsSh1w8mGia{rnrqSB8S3>FU?To^RyF$czCf6T=Ue@WAxek1g@YpMw_i
z=pz3~hEP8<tDb+9+_X3pExI08_rz1PpG#{q*ot77Z+Tg8Tv}DsH;MGR1yk4Pih5gw
z=3a5M2fr5uzZsnmFDt8Fyj)YbNPl$PDZB>mU)?i|e6afqll!2{D9j)e#qcNC^zPqP
z!W9IAJ`Dg~N%Ziif8({D<FFUAgJD4gj$HXlRJ2!`1v253TRsf2QDRmQsfry$JLKuw
zAp;-RnpDh}vF9$!j4Bw>*b?3;bHnFj9)t05SMk@`19~!+2Wd2U{U_7+8Pam*+~;n_
zhe6T}rGWSb{ixt*s-H~w3TfV5UhPsx+YGe9C+vV{#IGE!0YMv8!}7LgypDUcL$##)
zcqCJS26DX8RK{UQFB?X05n62mrsLhsH(3v~2dh`s7dHKiGUL`F;^3E7`PQYhks0+@
z2r}oW=9^ZQj}SlTH3q$CdKKig<O%X8AYMt^b!Bs+3$$86#cW<<cJoht_q+b-supVc
z6F0C%GIPMM%+_Q9M@L%HyZSBrL4rGyqGIeI5FCLpYqS}hS7q{#eZtgthy7c*O&ozc
zWBmBBB7{YceJ^S>@TIiH0?M@i^&?beB?HS^rN3Nln8ii);Y9`3{*uT-vQi?Ua0<q}
zVKK{|5G(m4L>4N_k$Zf9t{+(Fo}4fTf_EtFkqlmv!xhOCWvSp@W5Hk@D;U0sZy8EL
zu-~}P;#dYW;1VZR2k?d=FFPJ`p{=isEcx<U2P=J3RCdJFO-SGDf>cg-%GyI;8M>vy
z1}6&IAGGc?xRn|hAWg@NB||OXRv~1gD29u@=C|AHS8Q|U^9rrL**Y~diT!p8JpDXD
zYX6=8B<dviMkppUK@>hsnqW~_!R<S50S{2GOFJa)`y`TznfF(`kdh=wcIps=7RT?3
z+m_~Ii>Qrg2IbKP{A{$`XlH&e%*`$EFbJ`}#mryHdQa4XQjllj13U3GXz<iP`)s<o
z$vYf*YR=?oRct8pyUZbF|0jGv3N<xZig`t#+G|pv+F+cF{~7WXB&~F->P1-P(@Ovz
zs%-%UCJOIVu09+b)Y4dR;y8zsM);eK67)>QWwHZeOU$U%vCzc>H10f8GzBPJv_+H`
z>Ht2pCaJpzmGO+>PUyfTV-pv-yt{J|Ymd2vW_P`7HYYwx!8lLzEFl=c7wS$+c<2c?
zgdSGDY-XTtSHq>npJW2AkOIDe|5nDbuj}{?FKJoJNR+tSr0cxk6m&6ih^cM!yxh7B
zOwP<Pw-mi<OwYq`bO}2&>4I09GeT998e87Tov!|_cXu;1^@n`ohBlhKQEJtoRHZ|r
zY)=Je<*KG0r&MP6F+2sJSqyGDlb$%WG%=EFf=xMzYr4!9NwrpEB#n-#92ognMROuI
zVkhwIpSXoO-tY)dIWC`qtx@Hlh~$Va%Sk{M$T0go-ZK({3fp2z=pE8JLOX18^-pA0
znINOf;2(BoS(e6I$^vMZG$QQ0U*8;_@umfjUin<c;r0($`4Jfb=+N9TJaO<OP*j&3
zmjf;$F4r-i6c?$jn@hhffl|1ikx)p`ZQ=&G^=de9Jv^SUY>3DmCHpVD`y47mxU0MY
z8l3n}MM{5}bj>(Moepd8dn-(8Ak=ZQQ<ZJBFw4$tQ`2Me#HPfxA#4r&1sM+f95Tva
z^SAI&o}KJ!TQfL-NUP?JUv-R;@q#x<JZfR?2U*`e0wxgWD&(g07Z(uTwUyh((qPsv
zmZz61Fu+PE>@=PNFRwVV!cB9UpW6|d#>goRiH_{523)Kv`M7>~o~P5wemnAo^fH(;
zjluW<xm>jUqW{&&6FbyEvGDk(EY(NO%+IqFDU?@XNYCLf@an6y&@KvB<`AK$0!sQX
zt?Az><jyk%NXR%8<{hktGJ#ozS2)o0(NVjsEn!a%+WztBL!Nogaw+^yIXv)9q0mX7
zK@Fx<ur*SiB$t%vyZHHywWJ}Fk$a3+xZa-5S><S2HOjY-8ipEfiH|zX`VpaT78k*6
z{d07<noVm<fXoNW4U;%|(~)-h+r<BcHpj)DIQw--URpwBI`<2u!3B%b!kb@I=C{!e
zFAuWiPob?ka^@<^`?INXY0Vl@&GBn9vBu(?{q4N>Vtgp%FChMXas-gr$0tMIYXgGS
zAHSod)y>_`#%USay+(17r<p7A1{6?R4XlSc0N1ORf8kANGHA3<-V`|WSP4QbJH_m!
zr%bxm9ytwDp~NuZs;v~!Dwry1qh$cEsb};+{t_kzA2jAj84Z<!I0jS=X)U3{rb5b~
zTz<PzM?7_K3GW#}PuwG@T+7AR!W09kGt(Mcv1JU=l`f`xEq~SJj}>)9LhfFIfD~jG
zFnGO47%iZ5phvE=0ut(xsuWQ61DP)FHvA(Za173uhU5LNg{-Ue)F$WejGA7#a~r3H
zd}uc4IW<NyGSo^gKD63lpjW#=eNsVRF|2~N#0qTuOV`#`p|58ZI#lQY$BJjfLL7dj
zam}YcNaYVsw2<UP>i-1psh3snsM_5C)k>O2DyRnP<&+xfzYY>2J802z-Uf9hlrzoP
zBSFyMItl#~o>xwXj$yqCTQD-Q9i!BjhmCp-gXCg*x%%gi4Upj7PAU@wDZSrD9;5=u
zBMaa$qlC8Uu_6l|37H*(8ZIh}jQkK$xQtOvsWFws9iDn<6a?lKhqys?or@}gazYv2
z?Gwbl+oUP*ve}=*)OGmolSHU=AH{ZEpp=veQ56Gb5k%5-qR3$myK~WO(UqIN$>kHe
zRdgzhl?zw;=7%E1PB>c9DyDY!swyS_2IrO4h14wn8=QM8rdSf^a#T7EDB?RqsF|6m
zv)3~(3Tl2*R@EvRn0CQb13D@OWE6q-e^}@FzK()}w%fmEAjiP1c;9~MUZQ?)e2i(D
z`j6oBamwK9U}Xdfnw=Hes0{`ML*SDg4-SWGh^{pfxAH}5xwdW%OpdnNb1VAda2x4u
zZlO11puS3~m2h*7HsR_zp9xpZe)p~?5G<>O3MeiJD32^ZN>jfAV!#8ZOr6%Syo%>H
z#lYT>+V%2a>uT!Qq*!M-@-h3P<QZd6(Pl{p(DK3&-W3z+3T7f@35W++^WzzmT@4PI
zSF^F>f6>IS8mrA<fpW=hSK66HRHA0oKS407C;!_#5)n5e9a<<NO;`*QgtZ7-NmOFU
za2#Gw>(irbMdfY-HVg*!<9Nzdpw@{>A7Iu{zS<l^lL)*%F#1dK!!XQ~uP+4LGEWY@
zZfEW{PeM#xD28SYfi9e_KQYovZ1mzWb+5O>5Iq$vUsjmG+dSPf=P2>^C-`|`#`ZGe
zZ#|{c%x?$QX;6N$R(CvRW~Xm+!Oq%Uf;7hqO5afm{%pwt2dE|@*Qpg=!CJBBccfN6
zVe$~9kb<LqvF!%3!!+bX-$weA<J4LJFyX_=;ZXk6x{Pww%NmcQ+coP5OVr>%A;{Fx
zmZ5M739apaDK8rAQaSv|b7M41)`D|lmUz>LIR)hHg198Gy#pJd@5vaE=&U1+cVJ$W
zIe+iEqMZ`>AUue_e9}cCpC`*Bxo!dXu@+iNxU|J~G_gi4jnS^2c!3FDT>m~c#QjT$
zxdEO*hCWrvQ!<S%lZb%F$nmbByXtsQuMA&inD$WvCM9F+8}&r$N_mBYU7zFcKGf5O
z*n1D*U4wGc2XeeI<Iv4n{LLhc-l88^f5sH|2+D*3%RA+#9PV2-BSK7W22uR3?od$D
z(cEq+&n9sUvYpT4l|Fl=*Ul--vkGg4wnWJqmnPm4^=+_fQ3Ex%nuP)_(-nG@>Xd-o
zR;cUG+ar=W8vXI^>?mGDLp>N#k|4ZR38qi#dm{e%M%=r+<oWmsa##xN59LNZbeL7D
zpfGR1h-Q{_-R9rgk>bbEK(>==GZw>h`@C5ydj1p@_NxEM(54TIeP0l?WK@DLpG5b1
z?XtD#wOi)j>!+vZsMsOx7L8VFl`6{O%JRMkitqW+7IdKW)V;VKyB2CF20v+u&l(0=
z6q5hD#*?e_&ERRb3CdE&$VOitzCDNS^AfNWEwNNo5O>L(2sqYwt}yRCQf!GD(1fQO
zo9-T%-=+Uf9gj?G_5M}YV{LDTBX#vvM!jQLs6y;0B3&q|lsKzGJbA87rd2o7`0UiS
zZWKT&SpWyd3zl51Ys2r|>5Y%s4dst`ZfLWm`Gb)qJ@@qV^snpBXE?-aukyaOK|MfF
z-rRyAU+rb9rs7;||H1ImR0qe%1*1V4jUA&;(7bM?h|{}8DUSGiPR~M&Pj&aPxS0r!
z<I}{u*5L&jojRAd>Wp55R|jw9>RNV_x({;Q*+mO|)qSL%9(3b`mnRuEB@L$OGRDE-
za&33_%E4jCpNie0`!OE4K9}8oW+Wh2f2Z4Bou~Eg_vGW1bfPqTH}7?=H}{X2kZE|5
zKl2^%zO^^SUUafV9=>L8keFw--Jwm>>d=|c3<dr*0`Hb)F?5)V&Qk;&qS<~~qeK1V
zBb$K%=DcAgJ0P>adwi_2H8a)KxsFYiKO1M12Gy+$t2s@V<*`e-R0u<rGmC);%3{{L
zKe!_n7c+$=O9m4EmRWf2Uh#-+qb_$!f^>tQltR*iTgNr@nc6lY!hZyx_UgdtBrV@-
zRlAt{VoaT!Mt36od6;Y&X?8nhZW=vLW;1_|*;Y3JaciUY(&GbuNes>?f<lKvZr}@d
z5TDBU?HG{w9k@n<9hC5~0ILd={*lWJOcGOLJm{V4CrKFyPr<F7XwCW5M++sr)4xsd
z(zm;$({s<bM7^GEViD$l`o{0c5qmInY+eH2vQ?v=(6``jDn~bZ_nNncrZimx8=1y&
z27{)1x<N!IrR(E}B0PzRqwo_3;cb6CO!eVM3ukCFe!(dl)|yE6e#0X`)QUDEz}gx;
zPQ*?u)?YMeaRtjd*h(-AwIR><4V87U)Y!4QTa2u!AO_QrrB4mZu;`GQ#KtsOZfWxH
zU)JR)y8c$IyAs*W6w_Pm+&VC~ab;B$+?1@a`n9{dt}S0MQ1~9>8$8O&>cmSY`995V
zC^d}kb(q84ZEep>(uWveBH+a}qL$NjVC2c&y24s|7tQ1BLFc56rW}{`#;6CoWYo<;
zORC49VnT}YVBz3p2~XSgM+Lk?y6*2hrt$es$(b{g)K6L2i0_z)&J0O6Xlx1y%_s#k
z_iF2sP2ZuLOnPZwi1(hVCu^8H(5E=w^=dO5_t7_?>JZFFURUh^w6Lef16!j{kT2M{
zvxf8HGgDBST<R?IiJ`Ao#7r^<qhC?Kug6@<G%pKRB@N?;L5f0RoHFxac3N;>2(`1d
zt8XkOc~0kjzznbVn;I#hMFt`a4?v2}ytW=TF&~dU{pgqzyUFGW$NpacU>%?0WbMU^
zvOvb}*D5lb_{yDuMuNklS*Cw+x6^LmUR?F|djctk?xhS97HMilA_jL+L;$MLlo(F@
zk@{XA3-!BJ^3#V)EH$(7{mj<h;7Wj3(pbbhE0;%xDK^v#57J)yMtQ55+$nUeA@yuU
z`=LD-pqzAdxi#%6c|HoH3Nu2&a&!imJb1)tMd&eWl}7GzM2`e9rG9@5;V@HA-$<&Y
zJNN7dsEcPgkoj7BP|P+laIT9X_fUTk(R4i=Q<MpqtI%?XX_05kqT_O`q@gu;oboKL
zOLrhN%I5Zgth4njJ8U}s9e-5eg90DawC9Ixcu-e8;du8|(7~u8pQ6&SY-}*m-?Gr4
z-avTH&qD_F!ORhN<u!kM(L{v{M$1*WV1)}N>gDpNUS}P+U?F)ChXu35#k$Ul`6ysY
zw?h!G00>yBeo5gcYrY%^@SuVK*98H7LH*OZL&J368iJ-SZ(qoz@lC^m2eGBcDp(L<
z!Gn|rmR*FZfn06394sgqn>hp<;gNGBc|1I84vTF7>MKiwg?oQ{><W*g7zl1eS2FOH
zygOqPcSb>f(VgTKll(tKpK~0K-HH2~W!uKCI~(trPUF+{-q0O*d(hLpA3lD(+Pfx~
zVvaoe(*L;I+~5Bb27vrD#WcR*3-lF%R(b44)48)|u7k^l*H1$;zn{(A*||G3yTb=y
z5^J#YOKbn|*JOXl!7Qvz3#CTj40m!84m3Opp87^K?4A7fJaWw-j!m)@a54{*B#cpm
z*bs3{0BegN%9OhpT4ztg0e{{h;B;UuByS_YS`O&7J^(J~Jb94z`VrtW83)|xJ7~MM
zH8}?BkC`|f9>>Q9wgueo?J^Vy^cEX2{rSv6Pq15)<6eKf7{0?qQ&UU}<@+lA6(V(5
zN^Vm)%TtUE%auKHFN1?7ZU_TqNgtp<laa^iLs}W$G;s`m@YcA)Mm(H`0riBsK(b@4
z2v|`FPK#|<KcAUHzSliABG*JjuH8-xV^<+^8%N|09s!X{(WY2YL@ueIis~g#*qQBY
z0Flf5R)v4aMaxx)T!qLb>gDpNUT0&7Tzm~LjmWL_n6?^Dm!PR6PM4@(QY6ZnF9)ZK
zW(ZpvBB*e>t&1yhdb)7XZ{S<T<dUg1D@<<o&`XJlz4U@p4dm*(r7$_+l&yGKrZ-lB
zCMh`OrjfW<MkWHf_V%=1eK5!77j|X9;dth75bS@-rnU0L?_FHowR%*dCrUsY|8=u<
zbJM@M8UEg^AO1l}A{PJJzu6LBrBf%};_Aa$y3=BC9Ce2#LMC^u(CvkH!<xd!MS-5Y
z0LJI9H=|yQzI1nfF&e*}HU7TeIJvpmySe#~U%%V=&sXrjAJ2ocd2oLj{CFLFKM%gZ
zFIInWF%KT#mxtiTdGOn1@cumb%RJbJU#^2s^Pma8Si#@s!2$g85DezQ;brjCc`%*_
zE%@a+_&g8Vm$l!Ue<VKo`$4_+NA35+#2e`1uiw?=D16T|Y=9(-QjMs>El@@0V|@&U
zCLaTM*%RqGIO#i_%1$%r90Z-ipwkLE?Vx|t2|7nX=Q!w`1RW#j^n=bI=nR978FWU$
z(SC5$42}+hqr>2+6&$sLqfT&i6dWA~M<>CN5ww~?>mX<y2CY`mY6q=O&^iiQ$3g2P
zXu;cl&>94-VbC&z)+lK22kmCiJ_y=}LAw>S+d;b%w2y-JanL>q+D33N3J&_g;jn*J
zul?SsH(P%^m;UnU;&bqGtM_i^PH0_R^JL@Qd{5W@V&6-Nq@qvU1ak<P2xHM=T(ths
z$<lHC9pVhj>rH3Y9SDaVg)-JC7m{y$HWLZ-F0Ou7{6-CF^2lRj*Wy{!EeF43`kEIa
ziw5}NPOAm5V-2dbro91t(;|qz%Vd9^nMK6b**<+L4wP$fH^cl{Nx(abnzMA+oKSIv
z5GUYq!pHSq7os@MG~aUpwl=m2#ppvgb)*Dk$<k~_%a^dLa9h})ug`U%m_>g|HG^^!
zwr24Sh+mniGtg@s8U)8DPfIxLQ2(II2>p4ye}bh255wT8K}==xo?+WNxr2W#SsnWR
zR~b&4TtCTZMp4aN$7C8inqQ`3JSWVZQ_m)M4e>Oma|nP(vNxryv4t-2`BtY?gVW+}
z6`$TKV~BC&?lIpR%%AU;nHOtBWZR~*v$$-H{Tn-A-7X5Eyq=3xOL@g^wz@Z4H9pVp
z-FwD&cW$%LXU71&4b2c3>8O8>bi!M-ER0?Jl7ad+7UQ#rx`XA*BETv`8wSR88lOJC
zJFaV^MCGU4uXu!+`N|BNl9hb%2*sr5yVS|Np{zxgCDI#Rnq=L<$JCnEFHP?O8d6qO
zih`6kU9vN{RO&Ev+a8RJW!o6Q-Lv|($i)f+H=&V^EyO1DJ-XZ?om7953-!I*a3vdT
zV4F~#592Pbb2%^5xsNkQdOC<goPS}0=Hr27K)Bvv{6s25MMOgj1`7&IU<8IcH(T|H
z!8KB_R$I`7VC<W%U$BA5TV&^7h4D121FkfsN54p8bS@}T(;gWB-czk@Ingn`oI4gV
zBK|YQFn}KLWG|J@a65lYZL7E<78RE<O`)6CcwFHC$%q#s652{svKEqvpmgwLk7>GU
zJzW=h?zVb!S$n)bC+jq|7d7tZ7?cjuUO%EqeldWtPSbHwQ}*{?Mwab!EUJF)!Wwjj
zXU-60i9d7gb@r%~F?+w&ti!)Y&E5Td`fa~inYACotbO<hX6=8}Bz*<V+DVL8R4-|!
z%4}x?X6?*xRc7sIxyr0vnY9!3a(Ps*voW)Fd<`#a)?SCDV>M%Tf|8QP>_q*Nf>73c
zImYa0B9x_VYn3s3>wgT}y0o167Zuf@x@-bPl4-;$!}jc<my%I#>BXlS$klk4F>E7W
zGh%F}IQvn|*-?Ls3M-N|BQw-VZlIP3#vOu5k@hfbDT0%1=Vprr2*HyZ5(EOfh~ezf
zxHM(4_Y4ylnPa-?Abff9pF3K#o{%XOMude^qMmTDh|N9NQ_!nX6AqvZ#_wP4vNPX@
zH3{?xcpdgy8<#^^ZyVcnZEi6fnT8L06u(0@clgl^$`5}TXcwk{f?%`sP?FR^@dRdZ
z49oK{081V7y_jEM8?$^~5E0zT)b}1G7RvWuKog;XUgO8h0afjj`p4$MeiaAhQQ)bs
zld3kVOqNSjo9ORa;Hlg+wQGc@swA~>Kq#YA6+BhJQ;B-HJgV2(7(A7iqqZbGwZwU4
zHBhQZGTMJq^-GFBS@Y$9QdK6}b%9b>GC%Vh(|~WnfGbey(wbQC^R0`((i_A3#&N1A
zl$Z7?;Z!L}H<n(Hs)1b9w-ipLSewBC5wGEs&*u=M#sUvb;Ky9W&-B=x<ypklHs^os
zir$cxLSFEE)s2<FEyS%xGmZ!}hZNQ1qk1%)ldpf@{jD{)C0{<8cRCdJ6|sF2V-L8q
z-7w0DK+BGJd+N!Q0)k>gBg-Lg%Kpr~$1%A#JRBTyi)F5V3y<U=^m!Ol(fY(f=hc63
zSKcmb^EfO&T8=fDPqZP_bHhVFJ={ge-Ho~}CrE4b78Z)vJ<e!uXpKfDo?RG~iw?|y
zr;vYy`SI92f^!pNXcqdgKbxbus)q#j2+8R-IYk#E&LDVm<pGUb9yaUnvGCAWkA?@s
zO~|ic3L??qwrKyO>l=3OXWmfn8vgaVht&T26w<Jir#?IPh?5a|!EZK*ZFjj79fi7R
zc(6;NOEDvcLW12sB4%t`Ol!loKAYQWHIRS5B`mow55N**PxSE(FZ)pxLI4pKF-QP}
zXLfSJ;3)2mqOEa1?zg}S66@04N<n6LW^X>T5v;8JaziN|Z?-TjayDX_5}c-h$NER~
zSa%&8C)4#be{^#DgmZDaV|pgq3#_nnv-KknUqr5!e>Ml7T|ysg;!eOhNu9T1A$5Oa
zLmkD1`9>j_aLA!yMKoc!`XGi~)9Ybmo&-nh^P)GwMGY}FQg2%rOL!zDrCj~eDfS*+
zWzh=@nRf2)GNzOG>1-wH>TGz6@Mz?<-q$3CoizYS`Uy|e+J`}E?(fqY<dJ8@V)1Ag
zNC?8mXsu68cWRsAPC*Z2>vcEN%D{gwe_gv1QwR;>KKPYv<?5@zaP$F?DR;Px<#yzm
zG#~OKk;&3TjyLzF)&K)V<6Q=f1r4n~2$Z$YbFd5S75eX?s4#{|j3Gs$f#S?I$3P=4
zec3Z19<EjUT<WCraoREgL9`>;BW477OTaC^3W0MRv0La9PX>&-T&#jYgx!B+kzFI~
z6FC|8Y||P0w>ydN*4XQAijXFriF_2ZiR*h`G22q&dz>f!8+cR%^~RZiIS6MlWQ?(O
zXA&mP`Hm7gqqjQD)173AcZ75sp#Pe6!DV3tagEIw=vjE1gr0%$hq-~{0Vdi57HcxK
zlNi&fE$*oB4_t_#;wk;(Hxz$#on)JHl-PDOy#yNiGw>3c$Yh6<iuRE80l|RDlZ)WH
zZh|#&QW7Z>qRd*uLCEGB98y$`ly*h5sLnQ+wQKHj%hbTP#62O3xQ+q_Sw1EsNL|^D
zaz8$c%DR5s;#Y6p;>j_=KV7_dg_}<bD=)E3>KU6#*hAoZrJd!k3Pyh;_`#gGcV>Ji
zp^?*cD#PdT>r*6lsQ1kUBk1#Ln<L)<j)-lq@TrKJfr_sv**%3mVZ1PpSdhCa4cysK
zyMuyd846XtfQE2nk(WTk6#-RrhO#v}r5`{l^9foc#z@kL2&CsUN6^AfWJIBqVA$OG
zUM&B@c?fqJBuwlzz@&fC`Pt17nToO+-inI6(mPt?lI;?X8vI5F%7g!9L*v2Y2Nx5M
z8@fcoBM07Hq8(Rlf^_2s*OJ=vK>xL<4fD&uo)2-upO|<rj>sW(6t(4Pq;YYV3e{6M
z@40niU7BLrgbmy($9U(*=#yx?aWchBs!+*Pik0_4r4EPca3p_kON^GRb)*<SWWc)4
zaLr*@B*KW1QkP;n7A(tHP|OT1bD1@9sq;dv&q0m>>>%y+*YyD4$4pOPPn2gcJWbMq
zH$qJU(JYkUNt^-)d|&{t(+Qp@^8M_%_bMO~oAMi1k7BKVLf1>w#gg_>b+P18Ecah0
zzi|{^FPGgo(cgcySnhLk8?VuFUu8Cq+sZRKRax#U%YC9=E|2PU2Ai_n=Os2SYPtW)
z7M#`0{YA1Lm#SY<X3Cl`$K2nk%>A1;_g}+ev5gs=Jl;IO%zo3h{!VNOvdY$vw*F2^
z1IsQ()j+PYT*}t37+gDGsxZ0@CYYQdfpFeLNdIdX^W%RvRg?{wE+KdyRi2VAJ7`Bt
z-4y-HL$7sCf`uVxhQ`A#JM+Bx1bZO?(}T7sy;~qhNxxW3IxUN@W^_c*OnVbTNbxsP
zm_*GyJZY|W|02wC!e1#+CWenS_xBMm)#?|>)m$h~a}?{zO2SO|8WEIzKL#i78h^^7
zz=-}mT2z1V1L|fh4wU)~U6n;^+f;Ech98T<BnVX8!JeT3vf2=yrt*^pFugaP;bk4q
z#UMwCyE-_=KY%EtghD1~o;rt!5fZ*NMersIzVVPbiqOazNYw{4Lz{jt!WM{cBKCyf
zv_zl!CN@Bl0|90UXb}v02f}i<5S*74jApZ0myv%vpX)87bHg6YNzcHU4Rv|7z;>>c
zG_Mid2(x{Qv7lhy@O;o0_7PDjTyu#<DAFYx?4Z>^(^lw(wTo7E%)RVk;uLJjV7I`6
zocXwC)713I1}joO4`3OqJ`O1Mms;O8riC6-x|lTPTqm~pECJ36+<ZK6v-1exW{PIX
zih_TeNo8GBF9}v;wzC0nGxJ*&xEU>1ftwY$nW&e`qk5f<ft&F)yezo6?j!4J=w*Vc
zlIUfkeo3JyYrY)x@~A>DH;-Q8>Fup)`^GnoTOP$0AFFUn#4V3f8d!E2ss?iP;Pv5_
zUjw345Fuia5~BopBOZmYrCewWKufA4eO-Uyw2WTG7>Q#Tf?@u>E3r*<W+%Xm3#==C
zEDzlpF~If$!1Rz`%%Qg$Iv^Uy)4W4|tGtmPUC)0<h>qhgBn91eN21`01POm-6aH{~
zF1qwD9&-Zj(ZO!Y3t<!ZO-~P>CoVB5017`L!6$`WNLn)iVEWA+4ULB##Ddiel<|LJ
zy5nWU<63P)z_4gB(=oBz6;AHt*glwx8x!HJtx~xo(sAAp*oB8lh*t+ARRhfM2K6Xx
zh)=?1@lUEL?@j4=Ec}et?J@_R#r?fuTCiyNQBf=;qpAB5DxSV@t_6p7F=2&?GuT5G
z-r44?yIoKAAr{t3n;q@@-DroxGAV!GK24DqQP0k_xL4@?ET=*IsTc-lAo-y>OLdh`
z!t|-$v0-m^Qsu)r2bfdeS+WZ?hAyAu9-0_JqUtG~l^)+*mXWV_SV6u-Op`;0T^a!R
ze@_j9av2|(7Hp~Ua%${wuvQruF|T1~Gwcksyt9W6YAu$#8Uu6rD1;@@l-+;op6|{~
z!`{(4RAb+vktpnXw6)U=A^hCUBu~rekOPe!q`m%X#srml&eIev;a4oKa-jdR+*rti
zS@{~x@Zd9(3c(OLQPthOf#a9d58gn%S2vD49U%OTeoAu(!Tkt^v*)+>)Pn};ua0Rq
z`q020*Z&%@ouN+J2=5-<Sw?>YcDk9-5UN1~`_rHfHDrhO`tbYS(a}l!I3ufi>R{!K
zc4bef><Q)U2}h4$Pe?iOv7+{b<RMyAFNqIkwzC0yLgu$BdqT8aWlyN=35j~SJgV0j
zY|5SxU&9-*Cv4JmkRYI>=^#<Rr2LaLUykYExH28A$#fuYS7Y+CH?Dv0p;kIG?rrGp
zH*GLDjx9M>84S>1aGcV>vWrhOkgMpHG8hPk=10~(ury&X1Hsf^#bl6@PX2H1oPvKC
z!yyLSp7BTn7AznYC&BV~Od-QVw3~+n$78HD<Lf{~pK^U8T%(s*p{w#>?)<V16mQqJ
z1-bBB->`-l_G3tY9q)hJ<`{&@wq^8?d8|8neCIyEYQx{|$0pW)Fm7EJetPzNHie&X
zsJHM2vhTo08)MfU+a^37!Q}RVSd^AC;Llsj*Pg-{8gN{PC+=rl-q^2CA1>hsfpEM}
zzhWQ+7EAiPC`AEdIk)PQBP432VXK;pbpgleJfG=$7&ukTjPifjj>aS4;Vl*=AkdJ<
zI3gLkry^C)7oWr4XJ;MIXv@a$v_cv1Txy97fKDs>oc)6TdTZI3ikHVH<DvNIC6Cx;
zc%D13$g)D4xE{$0#U+R*DJ?NWwJo9y83W(NYy`#w1r*^{IB)90CtQq_<ycehj2zxL
zWVfb)N+RVyu)Kfq+~TpkteN!a1#!B|E`0P(w<dV-G8~_qtM1UwITp^%(F*It%Zh?_
z7mkJd;Tc^7S!V}I0d~!k{W|=6Smh;n6u|EI5dgasjf)ip?2<~Xs9y2_p4rX@0K3d@
zRe)WzTm{%wfL)?qE|2PUHU`+m*YL7{-AYHf)gZeB2_=6ayF~qx5>VEBIgs5+1=+0$
zvP1U_!@qDw?mIZo3@;p50%ECr+o0V^Y|*g_v_sJDB&C66m!E1NSJ^EE+KCJ_K5;gj
z{ze#S8b6L6rRaB}Ts^-gey4f&nqM%K<~4yE5y0(cYmX<deD69YhMr91+booBlVeXN
zEJ=_kb;f^}_<KTp`0wX}Ao=$P%lmu@<!$-kr<pajfZfhrXN31`2de5j%e3PjjD=EK
zQby0vXKW|z75f*<`9HR!k4nOoH7s4LAw;kfC8T&0vIcJ^Mm{@boqc@nyO!hcWQ|1)
z%2Bb%KvT%=?H|pdHJ@zPxAE%yHhm<~2O7i7%%p!yporNZVnOszrdwS*r#yG3zh{=n
zRF(Vm;SyV$+1L)QyPT8sLE7uD1~O^^PWi2Vavk(zu>jHq`Uu&~gOxP6MQg_b*@yBV
z%GK+{-YW2KEqcwj0sfsl0{EArxv`?)Us4$s)k_}cGuzn!_?P*u3jB+ftH8es{7cl!
z<xzjV&c?vM_!?do{9D(Na5Wq-K}|^<Fj2pxFqAbnhyzNzD(q$%7;sr2Asg+wTf~fu
zBz*~<j`3RlhOjlA_if9AbMV_})lfF##WcL5QfImHQdb6k@FyfMUr$e8!#T%w#;5P$
z?D^{Tp7@KsHYcYa=>(3(_rA$q8w^&(sC$2-1flWS*qwNL@|uiX_8z4PusjbI%FWg(
zPa44ge7$F!qMs2Sv@Cu{lw6SHz}DFmqbK4e+YyG7!`J2nzCNO8a*pR4Hi+Z#?(041
z-s`>T>5T&<WT-V1#4p)x_`=MI-TNWrP*I|OX(*Z+!msFGdCcPQ1yCrG49Z7DB&B~d
zb4{K+#d3H~6iPY-?Z{k+?#$zn%mfdikfHIAO-WZQykjelHh9#bWv&Y0-6`9>uj8ra
z-n4B>6$W482_n^}5MiK?bKL?uhI!Sj-*|XEY&dg<&-(7%M|lUt;t!;7SB<`8psSfl
z-NoEN>{Uatk}7z?=a17e;}HS{P3V7vhH26yNp<Qi;s@@OJEaZgp6^Z=N!=-CVBsDf
za|agsXKI5^Elfxnkq}ZFOW9%9#(!<=^a|#ao!QXH)!F;TPuH*a;30o?4P*?jFl&bP
z@MjptnZeF3*tHMa!$f=acW+?WFxVFkzwpfXsZA?!adFMBukGAf2D?1tzAAq;Sz?d(
zDjdvD4oFM;0T)TQus`C_&BerECQk(VDmlm>Bm9HOS11oA*)QOL{2<edja(a;h8CgL
zDnI<9t4-*|qw3;UO^din$OPcm6s92*KDxey&ID_3Y}k83pf~WTP0+nzH(=y|)qumU
z_*+^=z%V{%7Rr>zW1~_Sf#HA9;@b`UHAc4`j3`JM)Z{({tPdOYtHiV?mJh5KE*krI
zXT0y;ncBo%!njbzHHu}(7mxts48GbkX7GcFmkeR#xc-p3Ajk&^0~gv4l<SJh^94B<
z83<)_*Af8?G2XY(nNVQcs-w75petm!7Ptu}!Wlrc<@1D*7~K?uXBvNwkC6~3SdD)i
z29q=(1+19tudu^n<8>ac(}!=)=Accme>W!6KdGbSKRE22loGPOr|mV(x*}6G`T-l&
z%e2EnF>GBcbrKf35~C1lB<xO>tRwD~@*lYI5_bzOs|*x_EV=g*rv};LGt#7DyP-Qs
zYhG@Jv{&-(E>dh4sU&~d%BSo^ykG&nvvAb`SA$+#lQHvV1J>P^!!k4OcgMhy^FDg*
ziH1l_oY6K+|2E|4?oABX8)kd35M7VI>&bV!-raZ`n0V;lcDIk((=XfX)<j7m{yHsq
zrpP|AWWgQ_s-(jPIdDNKn4mm75IIw(!vT3PK=I>$<YO7f{W5>Y{8GpJykmXo<9vh~
zeJ@Oq#P=Q=*{!qpZ)4wu{l&+~BU=SbyOLL=42w2JMY5SWW2Z>BsAilD<rX5&GtDHv
zlaJ#{BBaDGMZ~?RbS_IYOZ8t?Uq}DtmgM1<RE7vcRK$9N<>=6xczU!PtV+wl)1l>X
zRay?84lS)!X=#5w9a_>8kCmXM{d8zak273?md?|mB|XML30jVx4lU{K-z8`{emb<I
zTeC{ga`JR&Y3{E|3~%9yP_z2h|AhAb=E|FY^9k+#&6T(R<`dfgn=2~-%_pP*G*?yu
znk(r5i(L)MS}My4ffNhfN-|)*w3HJ8DYUF40oF@PIRSr=Ld#0)f4#JnTmC7uthD;q
zOG~-MpF+zMTKnbn{}ftQ(*M^>OF8{Ng_f1{|Mk*RPXAA#WhMQ8y|k3m|MNUR_<w~w
zl}6Ug^RKwW!drfYM>uhG8V3=d!Y$<uvK7NZHPAME{HtD7T(L-lUqv?Ic$@I%J&)N5
zghmL{DUmF{h9s@a{WJeQ7JZykx#iCN>D=dcgZ}xSpj-bBP)h*<6aW+e000O8bXhi&
fki$X^(1bcy<2-7~BCG%aN|WEiHU@XY00000)>-=V

delta 24063
zcmXt<Q*<Uuw5?;?9ot67cE`4D8-HvY9ox2T+qUiG_P*zww;H1!Yt^dt%{ePR3^X$g
z6kc8m6buar2nY(O)t{ygo&*zK*^5RE;-@E{wh{=)q=6SxT@K*%{uQ(EMb6fZn(EBw
z3GT-axi%MiEURq^%yRi5T(cuVij@jxCJ2~hC(7IJ5#O@1+m(;L;J_DU(CcgsC?arc
zHb7zE8+~%Wvt&It3W8F${u>5vkz2h69bh*XDa(J_iRI^d6wKhB*r@sH_>lt^N`N^K
z{r>awQ@1Ey9tpr<Sc5PRUnX{JS3jPB2f}b*D7T^ZmLRNeds<o#nxqetkr=fuocLlS
z_>^FK6mRD#>s`$US$M92Ue7k3dmfUAvwH-Q9|ay-9E))s`1RI9Ca`94eaV_Z_i2ab
z$=>Z|RTkhbJPSM+T(*psa4ru*=f<KjXCpal`8U%=!3&^NZDrIj{a#zz1ckw0T_g}o
zCcBBj)&X5V4e<`2#^eW<4i&`!DoD9YehF`OyTWh00C>5MLEZGhnXBjgl0dj-s3gz^
zzxnJAO>+OlEN*i4_Pwf;DV-8=Nm<-6u7@N~Au$xN{(@j;CQpa=4hIeCe1u5HhiO(o
zdLS1W{{t|Lbn|n!9wm8cS$k_DAe$O+GvDmN4%oZ`FUN}HH3Nd<O2A!$_CFaWMBB{+
zO>@G$v!f3L?|Udi$QBIVgA2$bfHcV36I@)qxpR0Mz+pA71{zu#)gR{Yl24B7K7Rx?
z9&s~1Ru2snd;Ec21bc(91CnqcEhgHVtp3EQBm>BvZP(>eh(Ry32fOaio;`iiH+fw>
zi6dj;dsF6@5)_3*Fq318lk{9b9)uCy#KYSRD1w;e%7<;clf><A*TRDG^MUrd2VUuM
zQwsEW9}NjS!tI$M$x_jTofz->y;0N+E6Uy$80m{`O!Y7(B#*dC8$weL2fX>-@9O!j
zlmSrnwCYk@_w@A7@wV^vNKryYB3J>|7a|5mW&%62*;ypi^^<!+o2oO*T}jD$6DVyq
z-VdS5I@17bqZW9D+SW}z4)GQicpE6ijJ5SytO6fkC+efI%n1qS;Unp0TTMfGt7(pI
zg#OL&QRMQanO|sO$~`&1ka_8t(#(0V!2t%^-mI4{NJ8*tAW=)BA_oAOMvhq`M{0i&
zs7Ps?#vVI$S!#;>SepjKiOUjbx380x!%ze^!iH;heM~@(pH=;&ovXDPCCPS4t<Lf{
z<xxu&b@yZ$JG%H2SHS&@1n<IdN95mWRYwebqKj`IkjPaaVT{(JtPB@Toj#bVVZbc2
z-5ggKv)g7CYp-+PB*z!$d5XSGeM&ETxNgMz@f^_*N6~&wT|*^8+lF~_6_;^7w<QZv
z9=z#ciNj9fR8Dj!eRUdibhK}87089qd>l@Fn8qBL1Kw8zTaS6~myjwq0<Xe_mBGDB
z17)Fr$JAV4%ek}_Spn3<(+O+H72ps#t+`h(G5zSQ(?aLP1qfzomiL$M_v80{GEm!s
zc&@ngcMR4y26eJJOj%(q?OA>>g&OVDQBjlGt&(Rw{DEH?g8uTxbkA^}_%Z<ivuo9&
zIfmoC(@*pQ(hU^;LL%>tJ<&^wdCDMy%k`)nI6O~Ap0#K##B%ChcK?qtF#y9iBF+An
zb1pn$77DHBfHL*@F_W~yj_KnXw5o~%H4<$itWIkRbAw`uWp3qHNC;+JXq2;%5fL#u
zj`gqpXDByWuLA>2y+mkq;bcaK;W~dO$oD&RPm5i=bfn2}qg*itkxXiYn^{jFuTz+~
ztmshff&OR@#?^Lr2;6Oh3c&X5Fk&E4K27oMT{r0cyRj$7rRnC#6uUZAeZpsTi_Ma-
zQvG>!Xb83&_I^e`R4s3N50cn6=JO=`4FcgLMFqL8my7GYzeV|JN|U%<SV4c$m4D3n
zTEy%$1_I=kxepR&D?<=w3Bq?jC=37FTnl%f9<e^70l_u`kQ*?k0l=mcn|TfC7FDJ+
zgZ4E+bblUk{rmHN#aM~b*|z0vcowUdtTw%MkmeBcb7wexRWn{o&<sI7>V<%NihXt}
z(k=T$jG<A%$FpZE+Lr!z_x*R=$dWtX-9aS0Cus5Y5+hWXn=jT-j$ee(%PSAAmzI`c
zevJj<EZ5dLS^vj9CV=4^&yDSauW@&CnSK_lb#l3Nb=8nTw|1qG0<!s?PHAb>)kQm1
z>%)5^o-Fjl>a$+4q{qaThhpQkp2X)zqbUY|o&i%4TjUU&wIxTz#|cyW0c#8dT01}x
zQnkNHD1=+Bq2|187p)2<!)#~&n-_|nqVmX%+vl`iBmrJp2Ovo|v8Yk8W<5`8Q1;D@
z)j-b-sh$o@C@JI;@cjl+i`r*NtYv??tgpx&X9_y)Njz(HyDn!V=#aHm1*#2-?HIn_
z!Vpp%nQp;ndO}?)NiCwre7zpRW3YAnt0xORDa>KD2Mriygwt>H&nNU*nAnty08P=S
zWf`ei#zJ29Ai%oBmU(bFDYYG^H9PX#d=L(+KuXT?*#6OwdfaH9c9HttWC^7s{4m<(
zYUo!0inu$E#7?SNk{7qL2i1vJIT}OI+g@aEFkz{TWS}w#_BJWAFHqFY3!Gcw?iX^$
z>MKn>mFTi}#p0>wLrv}bR29Qijn;7P;UZs-FAvU(C*b=<^l<^@YuBbji__~`1oKAX
z7@>nyTz2M#?+}w0ybie)bwae?B{=w&*w~ARaa(vV5-ao%6DP0TmyPCI%R(@5FL+YO
zt(pT7Q}ZV*)5GoOdL5{cvY;KTjtZPh#<G8$6TFtU%fYJ;ZbTC=SQ&xmHI9)Ha~0+v
z-g`R57eEE0^Y#7jKEvzD3F`X&ud&&Y=t{LgLu)!l6O&HtcJszi!R4Dg90tuHbxtIw
z4}QC*m`XmJZ(BF^7oCS(6=z(04-S5g0%Wf1`(eYanSgcPNodY0W?x6_-q_Y<?Q_3~
zp;a@A^Dth|x*4)*YxUzv{`4>E?>b;Geh|u&et;(@XVY)%4G?d6394#MLFz9_K^Rg+
zXe@)Xqh3ho`z0`>FFFJw>TKBjP1lH6ap)_Qz(41-W_JPzxwa;Hy_dq=Euy>^sf<_$
z>tp8O(L4bElt#Vl*LhcHbGRG{VEXg4T`_d^6++#Ij)i1_%ZXPTOtxa*GHNop%O%#M
zH~?1qvy%{i;chvf?g?$kmQ0X7>cbDZa~YC61;M2<$6C6(xEM<wmU*D{10sq1^$7V6
z9}g$GornNF52Q-A3y<9>T7J7Zga2MIM#5&Y;0fFHq=3yXk9zF0$)^D(1B~d7J=AR*
z_WMu%SCTP~h_%n;evV{c>FBi1Ui3pU0-#$Sr>E5>jle(8j-H+ehGb+XYdz6c!)2Lg
z$Jw;k<ZFSfSxKXw+tP1AlX)al$vjn)Re`f&$}zd2-BH!-TxLk2Ynu4)QZSa-x<S?i
z1O7BB<JN>tx(1b;TiH9=TR~+TAO20&_(2z8Ec<n2*Vp#L2U89>Uf;b?>5C;65MXMP
z*NOdAHsX18y}hr2rRe?Q0OEyY&v$>@Uf^gN>$ZCjac$@4E}Ii~C)f=-e)UWb9O(7}
zxUHrUN{==y0gMhKDjrXa7mFJMTfx`<mm023L!vq>7E=_rSPO<{owi@rz}J<#BG6@1
z45~+Nm3uFPp)=UZ8hE85e=FI{JD{l~8kYCfXhjsqVHKXYR6^Iwh?OWUnlbw>PO4|I
z_5AXA{YE#@NRMNUM|Wqz9r*oqZYOv_A{bg&2LXaB5@i23uA3m)uz(371is7M8--TP
z;A@T0%z)rs_gOlhF)*5(AJ`5}?ksY&&2xkf=(+HmGbBRCeoQb}y*F*+J|L6uV&u*o
zm*Vc|v=EJ(42bHNgb$NQk{FQD4RaLNsr+IyjWCI)Picf{TW^|G?s<D{7c!60dV%;>
zK1srXNTaF9r}+c7xA0Qr>|2@H?A*>R&<oN5seOpKGZNQchD+z5KTIG*TF3#>6#5D%
zJ0ub-<3im+%TuO+I?$j=CgAgMZj6enmt6@8P$C{uf#kjJ*y_?Bm%rzAz&KnqM?8MT
z1&CQU6^SmSw8BM3_p^?8MI$>+Me9W#>!Ng>)U;81UFYqt3Z6M6!Bu29L>OCca+etW
zC54Cq;U9+Cn9v&6+lFNE$XrG4mKXT<Dn>Gei(PGF5=WHH7e72232+myS74Vs%o3r<
zMA~LnJx8$Z*urc8M@7I2NN@en+tSYRB!a>}73T<FgKh5EvCcPYNqmM|0ftD)^+&R7
zXG@cnX`&D(4kR%)5W>FU7IW9{gkmt}_NWHov>aQZq6lmf&Ph?~llBWcJ0eZ9okfIe
z*jbxL2w1KP#0r*=1HiQ0Z{!Q5%2Y9Fl@7h&Xl~y$Wh!IArtAxVU@5fasMCPYiNp(|
z%LS)NhZ@3L#3G<Bm&TrwO&3?cdyjDm&hEU=mpd80XMk72@BzbZ_1Cdw%5*LAgAx?5
zF<W&9BNNu=R9QzKLi>^vf5c=?5$Z3>Vu-+w0cpSevS3C33m~d4MupI5&$5n5C(SHY
zK;s`>D$$`csxrnGD^V~tO(Kk?1#!;Zp((YTKk|7mJV!0#JQE_!CB_q|R3?jI9r+6~
zd0v)NyV_YBEdBbX`~5!SLJT3)$1g|L8+>2~nMA%BS98UtW$l#-$-~RYb)$N!o%dik
z`_>~s;9>8&38=n(N#DQW`IEli87B0HVn>Ml?=X?qG)BNR8KsM37FEZlr1N;{TYZB`
zdIdE4#JmOk%2dDQ?Z`T-waFm!fa4iI1KTW3GNQ08PX8q*qG8EQC}>k|bBrjXQ2r{|
zuhDUmR&d^xHYtAx*l3<BI!G#>JFyI%L?LP0!os8pSpfg3ukd{g7Ci_CXQ;w}{<~v`
z$YCWTO)=Y&T6w9(a-o$&FVtpD8N&JIeR+jVAYBmBQUTI>A7xmlluD<mP(yb8#(5<$
zj|=L?+1s6IJw9{IpL*3YlRov6j(E&R%P@Mb7*eUkr1-JgM@Q(%M#ny^AV1v*y8vnG
zyk|K@VL*b@9&6&`GpZFzS*fRcXdAR`9o;8;R0qE-xpB%kXf*%lElXNmK64AKRhbJA
zXv5N`h22<>OLKwTnHf_fl}-6CY1`;Pc~#WYhJxM1Jt&A+S$r#jGR!ouzOz*%VqRA#
zvZo=1NtPj?LHc2gx;ePFh44r{$5IriG*_RuZNN#^aOJ$Ue{*p`5EE3l0OxT6Q}OBF
zCEBdw6rq}FFWx1w!ke=_S7_V%TV0bf_UWyU-3aClg@HCrDf~qgHgZ^QC#Fj3Fj0?D
zKtTn1{gTjn1h|t-6QM_Tsn%Enso{?MunSW``O%yO(lEhDU`)x%G`01Z10+@)p>E`K
z0RRk{$TXDz-0_qVDfXMB7Ws`h@c?#u19ODb_@T7!yj2{&`{AR}0?v@^KFlc+iCV{X
z>la7n$XT2_G_FKnD^r0g<3M1-pPbI>lO6YJ4F!<jIts2;XcL7*xSBsP`x^;eTv?cB
z`d_=deGn9#?UT40r49TSOWULy3lt?cZ-AIYF3>`YbA8kkWnt%9<;7Z39Zq-&9fM^(
z8yV0-Ri+2c6}%}H>SAnLpc1Hzj8(JgqmoZN{ia6mk)8P(RF{jgXKjY_;?lE3mQPn)
zh?Z1g5L<X<EaSB%X)i5zx|$;@B=F|EPT2tFxJ*affkLaaAX=;pr6Emo?dA+P902FT
z`)PH6>2x46AKY1Gu7qeHq#|PsQ~bL?cJ@M7v8-dddd%yTv=PX@oPpD?pq!{B4|8s4
zmM1qLma7u6LG9e)B2}@uW*BLMoC2Jb=PHBy$`niL;NQinsiLsD+Sr&8T#c5_{nCUC
zE9D%n#j11l0UAeCW>fPQ$t|jH7XV|eg3hP(;x6>r%~rm#o)R_=n<|Qbuc%nIs&+lE
z$(T>f9DgEb38bHr_*3gMF-);Xw<_b5SA#S=qGi5)%G`Jg=(Vm$ca$SgO|o=Sj&fdO
z@9e6R)L6t=Jyjr1ds;eq4lR_(lE>Aw4*fnorkOOICC2!?19>1$nP_e07(j`rlXcfQ
zm%LErlh*V?##i!+(zL>cp@d-QbGPk#6?<6|Z&>@$K$^F<>U3>b$c#3#V=Dj3gT_r&
zakc?IzkHk;7l;-{zwjiP58s44&=`CwWM502>&<}S?_Q2N)yJ%EItQ`puHI#^^KwlA
z!q;?JK8t6$5l^jJ{U|&>79h!or^(;AaV-=))m0F(C&7<~>yS)8)U4?f%K4S%BqB7)
zqyQ>Qxf4IO@xI%QNe33^pv$BZ(LKitOmtEJT!1`~>&mE;Fk~e02bilH!Oyk2da9K!
zN{z(n^6)Vk276$Xk<S<pS@*nQ0MZ%T#_|=*#`d6*F<S--!V7NA6@Zc%GG$jzhaE9@
zFl>T(3g&D=G90Z*(Tebi1sQWx6TEi@C(#ySf%3ZLKuNbv+KCGPs4*Q<xLhb<ZMWzC
z@x)Ep@_+?-<XZVIQWxm>EMTGfzA0tPJ;6blx}o7BKTWHKmsEi;Zt_2q(mcX=k%jwq
zprce+YxYg9wkaTh4DsJ)>S1jC@jGtPMis(1-Ffcc*p!5i_bKr|H6d^3J76sXzPqh6
zpJAJ}5$CJx`0*3dN#`|7$ZdydYrPk`+`|0Wq-7F}V5AXQM6_|Y@8LnDgakr7^}C9t
z@ww;_gZVj}{j3cFzoqZs3<?ZX{2YR!P)HTR9-E>wn*bE%J#!eOF6>}VO_65%!%P{o
z_3YwLBMd9M(T4cw_j^jr=ynqH4weK_=saA*N}-m}7H|GczV23Gs@zzirW44hKroPL
zii!P&+R04`Zoc;rc-5tE;|GSG<Xai$w^1-Tr6eYeiJhW}%l;(^ePJY#%Dx=<?nFn9
z4iF?GJpk<aY=4?GWRT4hYYdKaJidr?<LBpi(!%5mMES0P<UxxFE9ry=pK-AgqOw3|
zX(>ij1#*p$X#;Zuw5VYpioy$V4#l$x?St6uatf_`Fhejg*PS6y8*kxg^6*HQ0=#i6
zsm7#S!xEsCNDRuZFjX9iqVHX2v{v&=CU#{YEdbOTluVPbqopJViN0NDHz08LmGarl
zvQ}Mdf-9=n1XcB9y50K)_nl*9Chn{)L_vrQNKRB4dn_bT5i!Abm6_|0V*BXiK>C=R
z9Iv&ihUv9|k$&4+=u@5X1EQ7PP^R>3x|q!}?%*#h3(2r4w<qse(|M%K8mD`t5`7(g
z2td6wic(Ey(>sR>vmtKM#Mtv{7bx_Nn-$PvHTNb)Y}Opq9Om7*q0w$zccRCGN;8-Q
zvFw}-&rz-k?y?eWq^Z+9(up|y{b1K|`-Jp>7`Bd;m;p&&_1cJ8HZ#_-jK*e7c&4s(
z+Uxjy{yCOj5Fxf@F9tom?x_od?qWA94nSP*#|gHZSVAjl9&?XE-wfK(-Xje=1+{x^
zQ+oh)9=0UJBB%#9au<^c0w%U4=|p~SpiN}=bEPhMfOrqkT%z@x$#WvD>em#J;ltr8
zTS;TQ)7v~ot>n-)IaO*^u=Az7oN}?r(;!q)p7ZVu^OU2)ito{y9@)&dqY@?m5kPtL
zafMk?rE`3oi<73JDI8K;U?@Wh=+Xg%6(2`YCFJ;#BJz*obt+I&r<bSXZ2$2J&+f^U
z;R6vS?ruQ8D)|x3@Kl_#dgP(1*tKDIc$h9(-BbX#)KH7Yw)Z5kimx`T*A$7splN37
z&PoEY##wUADgI6ANr$`SyzvZOJK$u%txl0U&A|^xGyP5RojmF*KE}a!o3f2YJ)|d$
z+txfao{$BMj`q=5mzwW7ri3i$xz$04+snH%pVoGHxB5zEw&$+AaYicEbj>Hq9OI%0
zAG|>0k`G>Woil4=nmJ#?k-H*aW71KDRSJD7;eV7lsYp}Fh1<zF+E~EBbUMR48OvKj
zJbn5*nMcV#UW%u`qMkPqjHd^T$Xp@DNTkO6?yaCXW%oQbpua*Jt80RH8vCyUsH91S
zVM)#5rlq8BSf{O|f?z4jN7^z4c!Uk3ImKbEHl4IGFM?%C!HKt5iX$Ovc;|_aDUJ4m
z$+zjo28fR)!|g{<0L*1GRL9cG*6^{C2Iw;ycw`!3g4}(camLsxu&rZX4tX8oOP^kV
z9AM8ejIo9K6=f4(btwiZO7EF@@}?IHR^-p9p>Co^gO3L3yz%G9GL0XJ_5GR0lET$`
z@5d)1y8j>|ZnaD@LM%lC7i=<yOzvW!_r@XU$@5A_=*S1p0z!3Xl#?S>OQAK?#RSc}
z?KK7i5MAJFJ5`sv=r4>FZ;Ul3z~sGs$)=+o(!#YHt50f*vxw_~Q9CQjoOZz#_mH7x
zG9bv&@fBW=jY&yJaShRrO~%G@TOK>&n%sk&{|Y&7-R$IQ_`F5I0xrr}g-o>rU6ty)
z2Q_K{mR0&0fKKoIJ9aU_j#TLV;sJCNf^G+$`Zg6Sse#<&1)i4_^AJTfvJ#*)#12|K
zvRmOd#+(a0-kbhDyVsYA*5?vdhR=7ht@p@I-ZsZe{=Y^&?fe=(__GS?9*PS&<5YIu
z5yIu|`t6j3r*;m6GOlAM%}U-pDuoC>5ulYYHSREb0Q6trX}7;0W_3L*twXvp^0F4n
zu@K20O(xKlkOB~qewfa>EnTEA__?H~><7vx3~1d(7zs(>ea)#Lso#hQ76XMNh{;}V
z3zR#>O$l$u)uAXGr+}0kcEsd@g*x)%3C0K`4&$`Yz;!wcCX??NeUrA({|?oqWq8Ny
z?Diw11D+!5&H2TWL^mvF(IV?>?aCVFWfwMGQ;<#KH#E>q3{oocY0D`irMt>F%2zZr
zlSDH@%wp=(CPG>DYDG*D$O6fjpQP#qG@N__$ezpf!@<F&Iw4yh?{0UXv!h0Sv2XWq
zdmQJXcu@ryS>aH}XHhNbrOHDKn7FcB7o?US00PBi!*g#HEstlfW(9P3w0Xe>Angnt
zHPCu<8Ew!Wx<N0E?4*Kr!dZW@`(o-g_%C!lhvFY^_Ffd^wILw)<2hyRq0iXO-L)f(
zVjVltL@7$$lH#O&fd;;Y@cvlhM(n=W^Wf(9i4O)tGu&n@;hcWJ)P&?O#yAe9Io(GX
z0=P!K3nOde^oG9SA!eQUePdLUNwC6^cYTQQl`3-~Za4aq@WkZDKtr?$X{a%b;*&h%
zaFH~c)8PaVD=0D54aDT7&y6(2!X#ZV(KQUD;0>Y}*?$WWNd0CDdRFZm3xX#VWsZmU
zV-_<H3>SI=sa*oa$#uOa#@Qg`qG6WR01PJp2@&YZ1_{@Rz^@UVoLG-et;9_&F>V#*
zVD8>R#BDrnN@0=GL%}T-QIyj-jKr%>PRi&@o6?{z#^EgMPe|y)T2Z2{$}=|#W=>@s
zk+z!kmJ582a-)0vfl9rWtQ+?ugZ#Zq$MY<tqCPMX%GOEd11*^4^98jB=Or#W0@$n4
z<PbipVt^^5z9so8`};Unvb(P$>-j_lRW~kaSE0B)Q(YE;!!VVD`tIRP@KMH-Z*Gh8
z*s<Q+7xq!aG*!B4Im2~yCNHr}mBaEzRsASghWZ+gR`j#qEr0qnhWtI%(NPqM7bwr-
za&{=i3Q-jOdEBTKq>8d7g2&Z*1UO^DRAyA}boX^oyB-ev%6Eu*LreGzL4TZx#CC0;
zXt+643Dv-nrg%$LAFu8%4*2T4@`~NF*=aam8|u7z*3nR1_elBIXFIRjvQ)NR8?=vX
zYC5mdJ(V1kYZ_SXyfQ*go|+lP%NTQhcv&hEzF(xj5~LNDwF!Pce2)NnfViJ8P<4jy
z(wn<SJ-Y!U=b4?a*L8wy|4O2by>#w_7p29K<>g;F|J5y~nRomJCow<1QtG{LjDIeo
zhj6|)8c1^nAlS{wle)%_zq5Y>*W4qVl=47uhv3!Og&5!VY7e)iimP15n=CbW7Y~(_
z<P1bMXx>gP%e9yAGVcp;0hu%#%B2^u@;L<i-16|Cgp@xAMR?3~&8y!UjwGqIEG(d?
z%18GWP&$0`B#(TH{DSa2oaO;lic1b#yU~p$B)-2b^XIg8V0dm6A1ux7uN_6Fae_nZ
zcJzw)<|;ne&;5sw88=jouKU37Ndu<sY_u*An(i)=?%z4TwjMUXGDCp*@1Fp^^B;s^
zG%e&`H+Fx&R}ac)^6L=Ch2K%4skRrEpHhy!qd;q?ts0a2*%Jq!M=^lNx<y+T*Qdxg
zwoR`JNHSp)u0P19v;M@}K8YL?)cy8}pLCq-y1(=BB*3G2VdBJVn%HYl;(XXIbbof~
zT55df<UVs)Ufb3O(CqxA_p-t#<RmP4jgPckNORuCG(l@XuN}Wn-tn1g=XmIjpG&hR
zYl)tixfFXr$Hb09TmC5Xbss9(Ur`g}yrTuJdVaj}IUHfKQ3>&XTAk!)bb}@K_N#(h
zDPG;j2+n6Y`?tk^jv71{kBh1(#*#-d&TMEP9m6`(81i5ObP-p9aX>GNaT9C8gqbJ?
zybz%7@gmbQRp1WRk=1^4<;H{PI|R*o!;Er-k$&k4lykii?J;yFw%t`{;jk7X1-}-B
z4Qsco(J(S=r&`zFM%a3hCc@KkD-=)jFrQG$RJI1kPXp8RvW<RG=B~W-c)(p@)vm8k
zsp8orb!TD$!l{o4P~9lDmxfd#;$gUB3sKRkbkZ_kd=?QuIZzD{b)ZgaJVYCWL-;2V
zc4;cbGCE<@%tnEQ{xsWZXHXvJ>I7(*kqi*R4}LN=6I2v57`O&HdttDPz%)f%QlM`i
z>G0=VejB|Szf_$Am~tw8oMMt)>kgY6;Bu^O&64E+%d~25#xyzB#oNlbOBb|L6q&_)
z9zOMmEoHnpE5BK85_C8I-56`7e>bM)O7N&jr*`EzD#l4wcY_uhudp<>s%qsow^F&D
zhmAsI*uyl<Zj(&3F%gI?eBu52dS~-Nd?bq`x2?hM?8JOlv)86Y2Ycp1vtOi39{pCy
zexnW`(5W&Rv*mt&U9*=NG%okI+`vGG?S^=$=*XT*^~Pk0<CbO4{y~{`%Oe#+?YN6p
zo2}9k^@<I{%(a%(N)?luhxl*Z(%)FO!a0Xohh^zwYMI(;GUUHxh`h|6vCc!jxEmEb
zu<K$VL&_!4qEox`WKMf8QA#I>l)smVJEE)rS9-kea6jk%DohN=dQEl(b@SH=|DL}+
zy{W6p`<jd+>L1G^y{W~_hyu^7qBpe#)=u1?bLQrplZP79W1ab)j556hoAHc`13li#
z&kES*8ed=ZF3^VEs7(=yl9|mC&$N7w=4QU7OX;$2r~5K$DP`;#N;>imnKme*zP=*>
zl&9ipTH(vr`pv5Yam*;hi5h`*154Bc_{DtNU7x))I7IB*&}33o9x6nOGevwD@~}fp
z6sw%RAc6yG00$y@!qAi}4!!Zv33Sd!7P&y19yPCC=gMej#n|sElUCaWgc)8(Hy8@5
z;SEXM%eAg7)AQ{}`1lSrQo||I8#a1C2z4@*+ETyraQFn1i*U{H*XQTiSJ7zQ-wPt2
zKrdY3{Pe^HXM?L|y-G#;k?N(sGsKq0z#_}l`Id{^gVXvO_?rET3?@DJv@*@5^rh6~
z7N@GNtQrFzZw5iMi4;%wo|A3aqnAbg2af>NrJJ|GP19KT>TwzCw<HHtGXg#UZ%@hb
zE$I_YXfQQfaT2295^<UE)~V%uqvp6nx~E}HiULBN>9c|0Dcxw`+uC&st(V<p(-~Be
zs-8on2$m&sNLXUJSY8z;W5(rb)HU(!hXvAROwf1PNg+S}ETwkVasBQqi>Zm}`NriI
zM<LeYph@^K^{QTOx8I~=e@7)?1Ld)t5{rELj~t8h6THHf@`SF`1z9r?|K_=oxpgYX
zcr%}5d(-g9W<d4Jd>U0g(t9+WdXlel8}^9<8$Mr1#ocT<I;Iobx?8Hc#f;!T^0#L@
zc2#Y|{%4U?)H$-5{xA4zM_XWLuPwdSdKEpq{bEU^KQo(LWEcamm`pw0vEZxt4uik_
zk^}8^HGc}6^t~s?8klKu{GQp|b5A1XZEi*w`LBT5IdC~OSwvUF#<RJTP-2i3Bc6d)
z{mni1OvtU_UXNN8@VYd7r9(g7-Hqtg0Z<y!I6<<w{1L<MA$4ZjHCDLtXmo-Ac3+Md
z?C;u<Dz(d!NdVPMe0u-{9x#3s=9HAUl(7g21&m8tCPZ&SXCT%itTkvychEHb$L7P)
zHZb}7)_Q7W^wq0Z6h86ma~FXRrruU=rgtLZkV)OG&EfN5%U<&9^Nhm%R7ZcL@)!;@
zISYFP6Czr)*rvGBEb>^f2eD0RSbmLs&=KHPAX5D24)9aIJ~Vt*V|L=5RFX4ux36*K
ztFR{x_t9^X=Kiy2ceJD^mqZ}n`YV}2;foKv>V@R0hjd1<3GOBDcvFcTYA+f*%x;8A
zJo6n|1joZ&4t2{IX2SD)aHSQ3aHSXRd*0k<2`^z4{}|GKM3%p=&&V5(YpeBnMMfYx
za$|Vq2hiEN8p3ctv)psAH{|K6?-D}Ge7ZEKGvaAxHoB}GXYh{R>HWFv&>Pp%MD&0j
zY}rUs3lAy}Z+mCbM8v5>H3@5}9P*+)0OfaW5efa`;{2EPpy>CE?xasn1>O;gaig%M
zMc7*s?_@HI$5z&uT_--0-^=qbk;>>i7#f$TC;-|WO=ABq%EVOs=4Ml|TY;OG%!P~g
zW!Z^Dvm@1qwCERejL=79z%>W%x+RxV1-H>c4s}%DD_SVpKVPzN>@a0R_U?{{v**)@
zVHY)0c#O~6(*O<?k!~aSF^Zy&?F;+jl%L|UK<HPa9ystVV>}cmWFZ|gw6YPJ$l;+H
z4uD)gI@tH|Dkg6^_m`D<!V!?^_*BPg@M?dbf<{xqA%?CGVgI=VJlVP_8gcAz`m6J>
zq($Q2T}Fi!5Q$Xbg0Y~rS7I@(L28%3_uMx11_l@7SH+D%XTpbxu2l_&X*Z$wh%U_w
zKqAjRynk%8VvSQuT1WNs)4<ZBFEI2GR{`$ejl<$|0s`h(YNEtE0;K(OMk2(x8ZzaE
z@lek;W~%FTY5%4>V&s1mO^p1HqDh6&!{h#sqD3VBQFJ^M;$Cz*!#5$zQo<eNKZxcm
z`UlZ>kX5GWezmngVEH(>e3nyop$GnHGc1U_5_?!|^~H6NDP@YF7bpPlIL@m{yg^5C
zviTtKm2mfMxC9JcA^34Hk%?KOLq@|z+7LSXM5#u1iU!|swiAlnnjlEVaDWnIWt$$3
zj4`9g#?)`Q`Mw7xt*1>3Vn(;yi7+np8t3^}0b^sQE+aZ?kmX<@Tx*SzE6Eav9|3e!
z=t)I(NU!FKz&yIk03N`V;3qv6;+7nWN{oiTJ@iy$wha3y@98jWOX-YTqqtzfC8S!C
zpDeDGejidwfa*nR%L(+hqsgC5xZ*0VdBl9C>nK0A$-yK29R98xv|5MHo=Zc}^`6z-
zh@64$YZPCHIs=F0NQ^@&s|ABtpu-sN)Sh06@FA{;i(y7eJv~4=$=OIGXI!@9ffEo;
z?p#a)3x2`Fj04(2IVr>AEAHN|Xi!x7tRFS2ey}j;XDQBRE^Ymy>F*qXY@128s2#p+
zH!<gpPQ?-}7lPfA5GXZ;t%8KlqzhE|eln_CQ&y`Io>%^I1cw6wj&}0QN1xAjS<=zF
zT*qbl+(DI9mL@<vaeAMI4R3;ipB%2@?~O0-%)8SJmmBv2^gB-?KP0sh?zv-2f0MOZ
z@9v|?&|SP>WFTBq<KY-R#0Hp?J?f1Ugi0bLXzm$P{(#&k*ytf$YNC7M=b<3h!5I>>
z%oFMHc`Fg;!Ck_sy~GB`Ew$puC%bNa2g)y;-($<+jx&G)okM*`E(><<EPY(32Hnhb
z7^u^{tm*FDtEZ;l7x;tAw7O-BAed|Nw4FUYzVx1(m)`CKJ`)*{<++J`W`LAr*Y+d!
zMmTmKU%TX-?SI4684bVB{|!@eIYj$IoabgwijybNGqR<H+<Y4X8Yz?&)$zjJDx8Oy
zM}RoQFC4$iv9mFxhe}>23U3-wD{G&u+qHkyX>}BYh-_xVIeg|wTRV#D$4$(=<s(}1
z1u6T3(P->g<+%eq^{E~y_;R}mh>fc2)8|2BTKG%b?tRkZ|Ks+y&0o>Ay@n#Vi2QO$
z;Q+ke8loFz@7J98(K<Vb9z%Kjb~q8D0ubLJza@{l{9X(1{Q9k97@TT*7Px5|M5`~d
zztp#R5Fqy16l$@+5JDpR=xN`T%>l{lB&LSfKqKAFXRM#?IttZ=WmxUZ<cK^*AAo-<
z{at&(>0=ROrDF)!cCN%><6rUg1#l>J^uorPv4?8n@8Sy0-UrHEZ!;?C>Hc{-0F0d=
z7BN$r$9rl($=?F?fZ9MSz@8f1K=!pD+&Vq(>HP%%-K9W*++>ZCleJqPn{`L?<8Qan
zivUSQ@!^2c4cSf(?Vjw>wbs_gUFqhC26S0|?wB5&?(Yu`4FP<=oUVR4gMRq_3A=3F
zJwAY+z02>b*Kcm`yBoRT7q{CZ!1edQ>$l#`4S#p{&&X>xwBGbJf9#Fc?NHCp&D|G*
zcU#9z%#GX5&d>Y%x25+^2!q+n&hU%ZP0P3W*QoRRh-}xF(M9amBo5a83csC>wLN9$
zkp{3n_@o92vF<=6WrSd;|Ahlq?}SvmqMuyXuvyzq`_4|=&Q8~k-OkMoVC&{)=Z0YO
zhG6@KVC#na<s<9k>-wwPtLJ9x=H(hO;{~$nBQWbDaO)%R`KxdHtMB`(ukWjG@2hX_
z%in3ocB{qhdZXjz>e<KZrn?KU!`Es@u-y`Sy>Z*@v~#`Pvh~sIwsXC8!*=tc`QpX>
z;??oub@kEJ_0je9(G~as=o<LwD)`_%@hx%dS!mmFX*t&dT&`$c5y+Wzdbhn|e=c{U
zMGTN_t2st&?nnJStVKXY{gNV1i!%nL8cDb%7@#_oLMGUarT0<RdYnWF`^k!geTh}|
zd4ViSPWx;ML<XDUTFAuoAt`^GE80b8Thl7Xf~!rTFW;wWrj!E%fHw|Kvl|b~A{xb4
zgBXUj)`ew;>e6mVi~c)ycF`bDjooe+mF8Kx>sMeu5lOx{>!dMN#YXePupoVW{H~);
z83U9XgR|Ep#{CZEMg@HK<;=m+Jb%={`#=~7$GtLd&vYo#gsIxaWaLI`a12R75k`}w
zxLnvaKCyIBA?XjmuVg>HHjR};>b*MdS;!8>`-5)Vq$s7h+FUK5BoOtGQid$wp5N%D
zT+jorfYi(*X8_gErN1n=<`5E9N6dKE0O~V>d~*B%_9p9KCN#;wDHjRe6ze%1(tFXk
zEc{Quob7C?<*+^$MA@-iC2q)HF8bo`c5t|7O5&!;`FCCbi0%%~^8JKO-H$%^<tx_P
zL!m<CA#Y-Ywl%JvwKdu49aF1`cJ!`>Cuu~Y3Q#$=?t7qvkjr0!PH<xIjDc)i){$B)
zy$@1REDT^crw@twf0X~=7U}}erR+P1{*g@}RzxXyXCUh)1lk@2ihW3mM6Q&AMz?4m
zU9M73Y)J=Tqn8=G*TzxMY^;-<C_;pSh93lJ-yoj-{OA{7!DOlc>I4?#79F6&0;K3i
z`(wkxUx}<hv)HS*+z7JZ7H*7EA7V!jGgXt9o%L!UV~WVrhr*|v?I+9SQHqF)2rB_W
z215YBw?JTrA~&0(ZLVj`M+rPfMl-C2-C@jq(gXvDWbq{kL8GU#(I<5ye^Dnf0`-e$
zoeLBDhcuWIkR<H$lOU-%fW3NJWI6qjC<!uXw^7-Ys0<;{*yqq8Q>y{S_bdZH-yb<#
z<-A-Qw`~fACSl7ix;GCmNoWet1rr$P@`uKD^@-S49-2|TYpB5C|9Ivmr${>m({^01
zboB*%UKFmbnm(KrPbFy2@^LB@!9-UDghdKRd}BbOpw9%$+j0+$D1jp{lyLNxm##v_
z{xjJ!oQGT07agDn1~x|v(Z{|X#kP+RDRbbk#x%z%s5%(08!jaD6sj3BF)T9R162B|
z&kd>SAj5`vHJRPVP<j=>v#Fn!_r+KsJEs5=EF&TJxUvW?{@cR{*v0*Jzhm4T$<vko
z_KWkDaou&XdT=slYXsZzsqU>9PoWGXftVsAy6h3gvqha-^ZrpTQQ@Y;Ub1j|ZMY}W
zY=fsGD`#nGp)OybRTFhlRml2ZA*{1>niY8lZ>cR!K8916o27voXFc5_msSsuq_RTU
z=u`r8r7drMLNN>b?v`_?g6-Ho=Y)8_DXD;`wL>^_sa)pY1arU0Lg!MGl}7;ItL%6i
zpgV~uthIit3j1zs>(@%tDTAh!ca2=A1R|NQbzcVWfv=a75gEt5e-$v`5G3iHr@K<1
zr8mm>c)Libix$Ncuc^Bwam)b_Bsy{`?nisJ7N#&WIu*{6>~){ijk?Py>j*IMvm9~C
z<!7Y}L@E$!-wEo9Ksx(iXC1}aF(~v=K-46s%C-ot?sH^3LXPBV7qs{vLvYSX-by1v
zBbwi{BHNm578yac*6__V?1$l6!R7sXiLvci-Na~Ksat>MY*0iMkhN0{Uz&y&H93?d
zA?$D#6Tm>r{1mg`>31rt2F6j;m)!o#%9$61U6XU})azbFH*^W-@rX{{ZC}cnuG<;+
z$z>5UJzux87k&A9|Jykr#$|J(muC*>(}8vWjOxPK>o*#=sn2H1>Bmmzw@xuu4n!^G
zkzM~;_?o|Qe5hkIV1<VtofvI4mmdo;0X+Xpeoy%3ji~#V2UFZYbV(w$Xz+K0bGW>T
z_l)RV9TdEP;`vLUmPo?|BbJ^{1sMe2{g<ugaXCo55f$Qt#_HD_g1Vz)R{S?ho75Ow
zmtycjs?V<;7U=S*6J7?mF2=EDWkTc26=EWzaiu88#iQ+N0KRQP+Y2l#QM-&Tu|tU}
zBa)U1*7=o>__eoa+tMKqsmPjKrDSLsne?4MKF;Je(!{d(qzA_fAF3{RR|X%v?-b_8
zS=v=86j66oBHdF_-9vJ>;MgWHUFVfFAWu)|ITEt~Rz>7@QGNIqLE)lm7F)}`Ef5V_
zvIgri3p)obfZ<2&y$J)nxJ&jqjHPWxd5RWW7*?|Eh7FkFpA)w)NzL50>jye|%yb2W
zxWxRbMd}2+>F$mCG93Gv21$BfI>5T!n*C=8=;_Fra{TE3>k(Gys0q7eRr3J6%qZkJ
zHPAUZ*Keo=V0f58Fa-Gn-w-&|_AoTP!hCb(L}-9+AFp*S>rMUruf3Ns955_CGDBra
zG^IbnSp~g9+UKzT3T{{l{_vk$4`Q17w4q_7R)jMKA}-n<vcb(wOfCd7*m-Dzi^{lS
zYNX^Z*L`Tko5iicPxjss!vdqbt+yHU>fVa>jL_sEM$n?A2<Q@1&{Tm39kH1l_KR2A
zvDpA38gIAuU+E-*?O&)|VD!IBdE;?s`6LwL9H9(ZBuO*O%VqUgH3xDcno<59a^#Ro
z&i%5d<{OhBO`uPe0HQK(Rmh|&9ga(OSl*?O+D)`x|6L8&Q(9t1iLbt=$pcaPMBY<~
z0g|L79Sh`1pl*$?8vH}c^J&&r$6IwAW1|eXEYtI%2%q||^F{oTJklu7P5v&-O};%q
z$@L8S0FF$sLI21r=k?Wx6xBL~9tJ~fIKc!31z}^(Gro_;#n|UdRSs}6<tEz{wmGO<
z_dw$I0TFkGJCFndC0WnM7p)Z+!WhHT9Zz#wZ85Otp0th$U)b8Dl(|_`z+kY(qX5K=
zh?w6aT(N`+#O~q2N_gN8)D96@HvL*n*0PF8nIT;RQa<W!9{E0-bXUU_95HT6!HS1s
zSiAN#_v~%lx1XeY;W}S06G+tfTT(VeU5}}|%G4CHN6H<GB5SCU5)qQPssmfuX~)r$
zR}_?Z_^cY7n08cdpFsVWRLPDy<{aRXf+?FozV9(0iE$>7!BR}h(p1kxmJTt_EUw`a
zZTQEvA}s-Y_+NtH>m0^2v2J6AH`kb5)X~}p^iRD~5yUceE~&_0aMWq>@ZAX~VB_q3
z!3YR!C#0V~&HZJf7q-^@V=5%LEXLMoxP>Tdo<HUR{U%|<6imRIKH@BKZN30R9p(WJ
z&gdCX>3}>6$I!W6V<2!H3Oo;430XX5Ju)3dcJB_omsqNSL}Cz;{wm}&ipnJj;Tzd)
zp($Yz+cOTnnOFEF#t}9-LX4Qu%~EAw>D0BUI&F`NP&;akiavD6k|VTCjNvlROfu60
zGvtQ36hRy;!dcih0`2275OaXr$Y9ss%nF<1=zQ#}-*+@o#H2_(gE32ccyFe_y1DnD
z&X%YTD~*kyKg)}B_eBA}y<D7J&VvQc!f{f%^gBML$PG0pu6U~lXzQW>sE4&}STbg1
zSjxqSY;%#rqWXL6_~T<aYa9d*3O<#xf3Ngh#~j#ShCB1VmXZDY^`QsIrV1iLT&%^^
z?)J?|Vx>nOpwiCAQ~?VAm)6X+o!vrs*qKB5drI-vWDw<tZAiU2ZWjro^Sf!d-X4cz
z$1dpMi#*F5_>Ti4a8l`}TxD_qRa{m6LKualg#R4ZC$^$`)T&Maets%PYWw*e*#(#&
z;6kcmTH(hEqtXEh7@Hel0MF<QE52;~`$_Q!&O0i8tnv-xy!-z`n~w3k2#hOGzEyh(
z*R7@VK(nW0#B_WrjV+?;+?*v!o&lP+6wcJtjAjuOk?FKU>7f;-5X_`>xf|K;Bs<}#
z9sbrl5ukoXT|VkN+^Zu^V9)vUOX*pj%oDKH+f3pj4bp&fGe)#vy47`i+br(?!ka>p
zLc#ySn}NXx$Pyu1XcSFdrja&wsHz%qhk3J>Ze(-i{pAVjPkJNPH%x6x9YO`-0tIi%
z;6vdOMt<lbuEz9QmMB=|i7m9L@kNX-BVB>1$lHYF7&-)+Yv4iE$C^UQboatKQY3c2
zPucKVGXQ@K3rpM&|0x*Nw;!xf2eD{vsnDrxeni<t%DZJEA`?bDhJbuRX5pQ2_#SVY
zv1$u0Ewk>1WX$tTI)scwBD3E1ac~o`fTj}h0F|~}e0r=)<5Pw+kj3TrClJzqG5r>E
zz3p=F0E63T7v22Fg3xpI3VuSraxhs@qN2h-;DEBnl0PoV-Z0fV$>)E3V1z3FxR_KZ
z@@>w|x`7)l;IGpBieRY<xzq0lQX{Q(%<j<k*vzvtZs|`jx~}`<)mEuiSt}Wzda~l_
zbJ+(}gPVLWUc}(f<fE7yZfFiVY#7%f6=G=48z#M}Pup=`nzl0_GL0pg4l|sD{MY9O
zW)UFgyjUwMu(DZ7O+AVd%l<xK_euKDd-kAIH(oKa<p?Dz#b35z3k37$(9p70!!S${
zR$-7xn}gK|zJS_|fUMkc#S#`hs=V=IMdJ;rY%?SUMJ0Vh3th$HpK(rIQ9Ay=#<{Mt
zNk-U7bh);D(#T)`<n*;<_{vFE`4j;Ec)1mt`dT#z4JNw!Sokgvhm7+~59eMk`*qI)
z@Vy`Q44;D<x2V6h&jD@2e+`FWIssBmte7w^y`3^M`Ia!xUwo|1o{1Pkp}8{5CN^I+
z%f{{YzV0ehR(U5RCJocAMbw%+m@h%4Om_N?R($1e`|P<>AO0oeY#EIZA;7|%u$;L3
z?I_vnz>m-=UE4JT--6XGzLyWIdgY|w>cUC}CHeuL65=)=HOk0yh(*$Vh$0^pkYp@X
z+CaPzD!~X(c{rhrr`|TnRsunK_lIOEE!jy-KsK?ZJX0f|T9mx9%YPF6NPOoyF8<fQ
z5H6+U;Um#3$a-#5;i8nOHlXhLs0K5FE_nLtciQdB0RlC8fNL04m(cUzkImn`!%*EH
zaC@rLy`f)6+#j)7<eqK1oew<ho(8|R#%`Tfcdo_Q-3w4$q9YX!Dtx``1ntfzd$1w$
zUJz;?-oXxW+DA_IRyPvnd}}NkCi&jh$pQ!xGd^R|HQxDH_x}5F1Q>5?RPGa@bZ1B9
z1Yeu&Fe%5+OF3xg3CG^aO9UPRp1rFfp~q6Xi;#r!XJR}mP`S$SlYeup%Zoj-BDYlW
zqS-d~e%3U^2G7%<^*?gBV%(pLPx&w96%k^QICB54E{ZL4+CB<r{EL@WImqqwpwN$l
zb7QCGYgIVR^O{T!V9y#4SNiHjP5*}<iqp8m2Qx_0dF*7=>k4Q`6UoKcD^m=24LjK4
z0HcDr8)U!H75KgufhkqmdSD_UvPc<!-Xzj=bR<UouQ%<@d0XvD*@z;O6mN=<2|2TW
zM12vPCH3D8JKSdmQP0W)o@{vzENbX3Nyz&&qL&89m&4#2K&c1>hhx&~NSS=bXOd5e
ztamgPRLC@J{0M!G0nk_-g`MJd<(%kP%TL?WO=eOzJxhq^Ird@|sUpo5t=w613lI%*
zTCz@sbE#^2(*&56Np1;Ue+QuR4eD`RjhW$uct$ua6=ZHyKlDl=s%P9gOs<hO^pnDb
zwXlAyKV0kwkW`r(-0w2JyO+H>&JzB6<0DQ_xyOUCL>t{^c!JlqF}(<!(kWt?jqsh3
zeP?pxMjvF}&{%H<xu)6b345+1%k;aW>+383;8v9`r3z+=`d^OWoZ(9nn36<O$}cj4
z0aBMEV+m{(H8RZ8+MW)r$Z>;;FPj1rIL+skR%kr|fVGjT1Zry*4e-KNu+T(HLe467
z+~r*MIZv<gP`)y>S3US?a=V(cAsPGnQ9k09PWnS?D<PRA@#jAMkFkeOg~-K{#<T9V
zsupb=7*&#>pSWK_Q{<GHoZAd&ASUpw0dG_lw-kse!~zR1FK^HF+4A4b{9m~6wu-qR
z;W8pm06++&D(~WsmH`7{2}>iUJk96z^5Rpz!+Y&Bb2U6ud!%|1OlG8BZiCu|!rv~<
zGV%C;Y27n1KGkg}l7_r!4lfhmD#z!Dl#0Jy)MhmzUE26d7uM5jG~HopF3*~&OCF*O
zHDDShU7aZKN$64a=dkzpmTJ1XR`>Tpw~M!P0FOhw5WRML{a;WsHFnz_6?j@6mq(s%
zWRgV?y4h|kym;Zm{l_85x2KySd}{8BT^PkkoqP>npm0yWbqCgtE5N3LQssM>3BFky
zhB2bfIFDm-h-G`G4h-~BjcogRS+WP_?flFxb@|w)X{RbG{yNoL0yNC1_Gp?IRsa55
zQ@}6aQX>se$;^wODPnurBN(x|n$0O%){@927T|e&A;dQiJ>Sgt(F=K%^-BqD7+2P$
zZCr_nK=(WA(L+>^oqN!!axoiXO&poRa>kW7j<bq3xF0t#51*nmpSnbCsF?)1|EBrW
z?e=$#2TsciPk~0Q<%4jPkirUh=pnHN^j#uH_l^3V1yd{ClFRgs5z}Bf>Y4AxkLwTq
zK~OW<ko~EF5k`5dd6np5XnDq{>6mnlcsW`7MMU5QlGBMJe!ut7Fdwphy<9P>ch*r~
zoMPnhHFF75cDxKeG=bw198vvv6_-*--`xtGcN7X=N&z1F<#07X?HR6#D=ZcZn0?HM
zx+I#uTYX2`fH@(+)*3!U!igu|RWM+E0mnAjh&2qdDZvMU!8TZ^<51nsPgt83i>gi6
ztB9(db4*5VX6`3HKe{i~HFFYMeI?dig6d$7>dJp&6O_}qu*&zZM^RAq(Oq8Ak|z|*
zdxH%KfxfUZ@zzPaOSTtA53YUz2y>jeujqb`eG}Icbm1CROzSw-@!)A$VJmqIXK{97
zv{glvjZFDq)qq<vZR22|)L>FGCqR3$a&$F9r0Cd}`)e1ie40nqJ>4iiwWSqOkQWbv
zM1{7cO1?&5Q$ntX%b$4A*c7e>1ZgnqVR$1ucr72Prfb6<<M=YHOtv}zB5i`yLRpNy
ztXd+3y)^EBGXea5g2kU!T@;_{{m|u-r&x~m0AG+(37Aa#qL*&Q?F*Hzb5@0nqlSKS
z{bHOl^1(Nn2;OmY({!rtjYnCJ=6wFOFLxRmNkMtLgN%-T3NBr?p0-i{FKiu?;(Bv`
zzZMxu-jZk#WU}_+MOh$Y_iGiIO@Dml&Ojr<VbLtpxZ7zra4)WU`#ph_L-$gK35ztf
zA`yeTC?Wt=Xi5wx{z!eVkA?bOEBWceC6=1m_<m+<Z*V2RD`_m^ot4WY!xS6pg$HS`
zeWSe9OzsrA){uI(qW#dG3s6qFy4;%flsq2=QiT~IVL3VjOddR9v?BDFwSP(@cR8X*
zf|yc2hH#jvr*9-x(w%$u1JuQ{9LRjFJt$_I7&zC(kb9`Vh-kVVjw#9n%vET)!?eh=
zWzlgtR?^U#J5G5P*QGlU8fA0)K-SrMmK`=7|BgSZ@IiqOYTENdHaw`So^ZVTD(GNT
zkxx<SST;78=x<qQP;VeS=YQuRgZg0Rh`aKdy=bDs1*7FET(H6g6ZLX=RIjrRT(FS5
zh{J+e;$mHA#e5VnrQ0EhR{#VoRllV0lQmxs1b9$Efa`()zo7nU-JxN+Zw*0Hm$xtE
z()gxf!GqY+V-+lju;4*T1IsQ#)j+PcTMibKjLjT^jqu1hk~|)sHGhZ2HURaNrNP3z
zJ$8l1Q49n(qAMAAOWvKai94g9zvxc#ib?(-qR%;w$L_@a&9ZG{*PV^`OsDbbdT;0s
zyglgY-VYx?UhQ3zOEE_ted&MPZSL>?2?IcWnqnH?@CEvcK&w3Vqv_mPGuOdo!|SJ^
zncvT5?(Ezhn%&_8Fn@_P*!iWkfB0)M<X{%oriD@?aE3cM2?rV;1y6k=8um_pdmg!F
z5XUB23OJdENfO4WL2QUPCV;g?5M|0;46U=L;ebEy5O6xM7LvCSU@ZsqS|0$HbDlg%
zd;JLTnT!K&^c}Qa+nOAM^~X${4v*tw1KR>__jVZy1bT~&n1B9!=Ab9ot;umOUJT!1
zqNypSh4Ous{tA&gEG4%ooaHIThULm0xtGB~6E}o`vZN1CpvlPN^dYSbZ<;s;KX_~0
zVIv++!+?51T_D-9Rs^gl1gFKetDn!zA>ZpB8<A@wBG+!Gg|Vv;xs4-o2akZrrD#*E
zC?c0sP(}5UCx7hBb~b>>Wqzwd<f7#&M6N>Q67_O<RIjr!L@vIDmqz5)dQ4jlr%TXO
z5~oYlFDVjb&6k7IMKgpg4G~m0-PXmGI6YlB=r`~!V{*yVniVEDd+4Ra#9n&AsRnZO
z-BOsGaLQJ^EYlmSK$8@la??m$EF%*EU3+_4uRfS#^M4DwGT?ALb2tcgWz$;u;`c7D
z?pi%6(Gw-0jsLpYy1D7!+zfwj)(`)nBoT{$?cZ#PuhOZLZgKVDEZu1_IF7nQ6Csnk
zR_OM^yJ1b?<Dx)MUI63s*PBtVMPIr*zZi|*&KiH;Z=BrR?A_e_$FJY*{O2q9-;d|P
z**v(v41a#S4!)lUU*H!jxR?hI@XJH+<2?B7GI)O;{AC{O!!Ostr+LtXU##G7^WXq}
zc?bsc;P5i|={y+EgBJX99ekb#?aSKl%|8+!{r#Zc`lI&yVd4#R@z?KaaumMj88$$Y
zMX5$q;TEW(^RYe#Lz9mIyzGhe9GvtWPGzSVbbk(l&SB7L1)X-#=>(mlpmQ8_PJ)gR
zboxPO5Ojt?#|%27;AlTMY6eFK!O>xG)C!K;!BHnTItq@CgQJt+$Ou}^pmh+m4ue)J
zXtje@Cuki7t>d6|613oLKWGht)-Y(9L2DGW_k(sbXdeXa!=T*?+U=m-3ED?N`#5Ny
z1b=NKI2Z*7{ors|tJi+-)SIn8o=boEbn!X(xz&3&b0@Seu6eTYZoa2$f3feSL{iZw
zZh|?4OoXv$F)mtv=w#`*{tj`5<@KgB>kfp&jzSr0lnco>KAVXIdKXteD}JMfG<oE)
zv1{=x>Xw6FGJVYpkwpXiaHrJ**s%sxT7T2t0KRDvMBimH&&(oX>ujGs6$i>SxSL`A
ztR&zaMa@|{Y)+`SLWmRaIN{@ZuM1HeXPWQ109zZ|gktm|oH|m1vSevCqvcE3Rk$te
z&)4U=P|Tt~rJ6yx30t%H2E?yS)fwnD4h@3ilcyydcBp^QWrY4b-ao<8f`?)7)PEqR
zGI`Ii?Va4gmaGna|EmlqO|GA0G^40yu46Kd9nCLOF`g6V&Z%dUyM}n0(>VmdBiWl$
z*4RRq_<XBVs=;Y-w~9~il`+IPa`%|;4d%~x%gl>4BC>7M*;!n+#{P{Rux=LxQC`nQ
zs-?VQH(TACts0-__wGI8yF0g8=zp_gfZm2?2#j=8M>^pxS{BAGe#t=n8;kMTL*2ph
zWf5SNp$!A$I*m^s-yPSrQKIrw?pHj*%zR~rP032Wc!Xlo^Ihs>-cZ&e%M$60E={uT
z;A3h{>zAhY01YXtDn&ucn=aWITq<=Kx@`|e#<Fb;;O<#{TjXMeft%1s$A1=L6Z#%q
zZjnx^$%XpfZMc#RHn2^o&WCXq*SVaR>D<Q|Bt0EOA<n-rLG$szG9X;<Fn%Hxq9UT9
z1%m|zCNKiSotv$C#NZk!SgS2)LNNBt)-TvV<SnxEuflkm)d5$U(xYFbF*+9%scDZ4
z0Pm^Rww&k~U(Owi7!m)OVt*Jw4|uYdN@utornXgF5sQk;n5NK8Ydo%SfMmoA5eaQ2
zDp?CjL{K_-vd1)CwVtkvJa=2YxvV{2pObZ(+KU?Za|}ucX|EsAB)=HISf}Z@s44sV
zFC)wLITlqvcVP`W!!u_Hvc#Xc_Bwl1%9y?1YS!W3qvr1ZKK-`etbfefk73q6d<3(0
zYLdQ!X6+=#E2@_?Q)RZZ0kd}Iw<@!Cv|MG@uFTqrdbvER*V&j^JHCdOHEXZK(y^K`
zJ3&cFV|Jo`NkJ%Uz8qtAG!e?uwzbNbz4bqaZCzT<{ELceP+c~GBFQvjm0^4K&`ZfE
zxAfvu4diOP%NVwiuYVaaHdCDaDCX>_MTHf~nvogmBsWk?1mh0Dq)2-hwiLlhwsW&Z
z1BBqo4G98)UBqzqXk41I*n5TvjLb3JbP&Eg`Oh6KT2IK73M0b8DN#>2Sj6TY>?!Eg
zs0jy92IKdycG;Ql!<qzo1iTJ=t&PhethbHrx;D2Mj!eUcJ%5VdA)7n=Xa?nn473YV
zKtZrsdMHWipm+kaIELkU7=WdY`CiN~u#H(hFNg^4Wa@j55)0+~FQAFgK(F!R<$$X8
zN&RE<V84ok@+k1s*GW|yRVK?Ns!jBFE$~!sn%XtOQ&p1MI3SeKsS2K|;HgBtTprcy
zYz&^t%TZero_|{6ys{c7RU{d0srn_wpRD<EK&dJd?YcmzE1949jcLF)VZaqAb!km3
z`1#gFVCjwFed9RQ6Us~blyIt)q#H}GN7X>C>RSq@QmoD3fQZ-d$>(#3QDcFJCh%jf
z;%9p7&hjkcYMb-Fc13SUOCc|KzUszG;1=RmqZvm8ntwxzYVuJ%8qUer@BY>r+>$RJ
z%{v{6`-<4UiLnRV*=`u+M4)9yygl_~N&!K!p^@c~H)Vh3-s70u8y*f0xy3TqzlBF~
z5c)ifsc3y-q4VlLxGQg$wRs$tA1%k4%qQ9q>bc>epC0Za<nBh@mJ_5kdJ7B1>mFw`
zH?&406MxSxjLJm^X24TO!u)vb9>KYZF*FN(*q_bOT-8GYdxYe4o1CJH5oZv*x$=O<
zEf1S@_*i)8t4G6w;U?r)Fa?ola9gzh(e(|x_cL#(cMbn~-9u{seF|w<%2S`6d&J2I
zz2G++#J0QKiH<^DG(6ZP(WRIXLm|O#9}zRQEq|u9VOyWgZM7Q6-x8MGmj_^pu_yZY
zhL`;)3L$_9ix?yT!ZSNLVQ>`pM$y)|ANN~e1&MX(ZlxeIJhL~S*$7tFez~C(k2hNw
z7C9TSObJd?z+?R*daS#Sjg#qmnm;<ZeZsjo-7!5A?FClYx!L-Whc6;m%Rifg&n}^l
zHGgp@;GCq+Td|P3v7wIQ!hE9;OgQAwup*i;TzwG3uIcqKGEah|^?A{o;G%{Y8>zP~
zj3qphl2WdI=@fg9uCnNbg-kp5cNx=3{B*Vwb#*qpMR+vwTJLKT!_FFjB>jXZYVE@y
zHTU;v4f4n{VzGEM3?u~MW3<+%raQIGaDS(uhq3j#n`vd>m%pyvi7A8zaUc9jwsQ4V
zU^w~!$do%=#&SFIOqvh*k;r6eBFCG1Q)_^MqVX;R#)5{{9|X$U=Q-E~_6q&?P*fO0
zB*u^;(Lix#n`596m%i+o5D(X?eJ*v<`8aKvfFRnD>=849yd~h4UxmOqj@T{qiGL>p
zMqMse!63qJvdFFx_KBQ~d$#F}{o9?ycWdl*H$_Mj&qO|o*~Im|ub6Eq@jcEH{|!7U
zf_mdjz#N3L7&6A#x-$tA=X^&AozYtz=IKtd#5+Q|4bXqhy5O=fg1E+J4D>9#O+wE=
z_`}@5@c<L;0gE-6+DVM*)E0MC_<sj3L{RaR{_z_Mx=ymqIZA9hnqC48{TX-(O=Pk|
zN=19f`hZ}-<jF<wT{pp+I4Oyg2~lRP;UHvl4Gt-)MoPOPT2yBn%-S_~xn*kLTjHJ&
zMO;S#gDfAD5u~o{M!6rKMP*$-Zt<%(Z}H@q;GZsDyu!^Vg_W0BCiRR>C4cN8@V(N`
z@>d0;5&U3I+&eSAlhDX%I+fw``1L6gJJkE;f)Vt2wat-l07t~OSNK#!%|OLhl<b~D
zpD<pSM=Z!)l?Lu?sNF%qvJ8bPUqC}RvdBvy;);MOIz!nSozf2=mH7lM5@RH3L<G`v
znj>goCo-Z?N-%8hd@q)N;eR}YI}H*h_8MT)==|(vh)hLU4R1w7Ug;gJamjWGM-6_X
z1LeX0vZ3+d@q>$r#|>Q~;gJLHF42ywHbJ^^gKJ6cd7%GV)Q0(GV9$rR;ZIDw7f0lf
zI*QuzG}5@ZONHtwocG*1u`W$9ZNdg_m1Df~WAsTh-Z+_JCRM0pDu2bw`=C;XLv=Wk
zw<ShP);dy*A2MKFXSn7tED~YFNU2LP9SfFaEGTA%mbuKDxYT(e*XJO|0Cte}`s;cC
z@MESYuqVnh7@j6+!5g6_foK*=@FY%w13oZ-*Xab$6Zw92+<O%eiB0*9t4FccKcVX-
z>S9UzsJdA4D3<%LlYieh3a^*TZk*`vS}gauxsBIoxvw%C$8F^qovJMNmE}HBFPBI4
zI)hDF?(-5G7q#4fWed(~=Kdntk4x1rDKllwmt*elRObH8oBOX}vDn58P9AR_U}nE*
zTYo3E1X*S4M_Yd<rGaG^qiP^mSuSPkR}8KlFjW}c1`|xqkbgipZz81sHH`W3n<~l%
zOqUS6k19_|mmRbtrf!P<<)PO)C&9vyGehHHmz{aue1g4@fayV7l-@0nqoiLfCY_eW
zS2H>yXr{dhA*A>lDNLef9-cH;yMGa8IpMDqC=<iSn)~~RmumG3<Z3RIr#XuCWF=uH
ze2oaoz8`~=cYlpPWl>;6{~j$W_yKh@76(dwhOWw@wQZ`n7sHQ5VG;x??qJW*09kDa
zPgD6x1DM_$&+xL2=VFkf#9bX6;~zj2QbHk<Gf$mE#0UxBnj(0U1>bnc97Sm445aD<
znxRd<7hwy;HxYY6a9W~IeG?lX$$<c~1hfbSy#rynTYm`7%L+!b*{sXRozL}_(Yav{
z=A>uf%!azWT3|cZN}AUQZiLys#aK`<Z+JfF3;T$u6t20%A{6P84R+9KplK`g!rDbE
zJLX>YFmVdDWUyOcLC$>KvuSGjWP=r{p9ipvRUZcw`%A5F8`DA$DP2q&bFLFxe3k%b
z1#UhbxPRGs1aLD&vt&iV&7`s}s+R;SGTYezxS9E_3fzpAtH8|)+)UKV<x#!P#=y<^
z8eSIMT=$W6HS{t;RY~+RQNN^6lr>)tdU;f#mzzf~@$~lAw0+~7#x0Lxi;q>fCE}Jx
zDGe;U3{?ZUdhq&i%dY`ZDu@s<NQqH`yb+H=*nd(kv<09g)seoga9T#MVvNKw48bt}
z-j&!UI<pgC#s$_DKbD7XjTm5i0bqK_FXqr&4IL1T<7wU@zg6DIkFMvxBSgpX7m|W*
zyCYF>MS_ICvI&1UJ{Mj37mqms_vm0Z<%O^b{HCXe&l8uJ6aa;vkl>R-E+nm)05JXL
zj(>*6!wzD>>IKSpG2QVp;&H9EAz)avnCY0<?FuJ%a%>;W#f^#Z)>f(95$QN@2<*bc
zB*d$Ok*Wb^c!PQrHpC}kv-l^~l=r4|JQjXN>vov~&*J{xFfCX#{HQ1vlF`)t2o+CX
zIM;$hyO^-T#2M@%3-4@m*4?fr`w$CjrGL$i_Wf?OLt&YeZ=a^fi>PO3THGu2ewNc9
z{!|QuGm!jHou#_UCt><j@7S<6JE`*FoCD0M?=0Dc8bg=QaSu%lAyM^|&PtDOF3ZT*
zJFFmIBBsfq!!8W~{J*CLLAi_%ObfQucsVt8I9RI;jF{K3vl(^<THe`12elT<U4M;%
zxqKAD5@^b9b<cNareW`B9jdYK&`1<^J=)r7h7f-4W|F66bjX3m4$@wKHDiLxJm+bO
zmhdYUS2@ssS#B)k!K{3ZW_a+KNrhmDoT%#V-oWuo>IZM2-m4o&o(>THMn9#wgW!Gy
z!`buOd+I@h^jF8U8+~YCkL!O8*niGYCvAjxkM1m^0XyByXb9Dyf&FPvhZ?d&dwuwQ
z@95~HeVmb1J$111M!T{nRQ7~&_JpHHuqULP_*hYULh=wTs+YtEGuzpKJt6a3l|3O^
zuCgao_Jl;eTprcy3^rv?h_B&|*b_EsI!F*u(sYohUsC?bnlHz6a9o)V)_-I=5Vxx_
z`Pm!S_fRXH8TU5y_M0{s9LJU%s|*HcFgQ+WVA;i|8pu_2OBoCVL-QkRA6S|&n1NvG
zuVOMtNhkj|cTT}SjNuT2ZO?e50Sgw8ij!b@Jf@K0A==GDg5xpPn(=iYqEETL5w6io
ztk6|?Fn50028y@q+k#y9t$%M=Lk#;dq`!{$ZF3C5WZN=&$UN2^J-%}vV71|I_hS?5
zKNz>J3qL)3KAXZ%IMiEs1KD@rqm8laj%^bjk6?29KrBkj8Sv+=<!eu23=KH0!xQ&2
zE^qADrw^C#gFramr(ZD;0*fVmUX-GMv7B4=$q^E@(y&#{#kzpwbbp@DbUh55DrQD`
zY)9h}@bDIk5)f#}V;qqT-BXdO=Znu_@3XTGXtZVHcUqwgcrLX>20*8kea?Qtf4#MA
zOvTINlkre|^pZ#HGCa>6SY%nDO<a#;h2j##la!X2q1qNvhKzylVm1QffdYzfE1WlV
z;S(-K%5tnJcSa6x9DlM~(?BJW@*h~<cy94nUe-){^ny6uWfwkrr&|*|co~k*%~f}3
z=Nt>?=4gd=;$=lay9>v{{qT$~f~>Oxr2xC;$$lOFJ*@H)JPKfU{0M+uipIr?0(MCy
zR#Y!}0MBe^1AtxTw<^FcTCM`@D!?vLFPBI4IvWG*;%j(Wz<+L~qugqcU4n#?kX@pF
zNeL)xz8uKzq=M|$1lgf`hT&g0BljJgXNDIJECI1pzHQL%B(~^S1==BKcaqY;vdd33
zkgM#L0_{Ww8lN~DPJbheG>soek5cqIQLdg}6Tj2Ed(AHxO7oh)jR@d&v$e;QSH5>0
z6GKlX@@*DMw|~j8Cli(=NR&F`OZ+_{KK%D{L6H3WgXMj`gz~n0@YBp1TflDTt~0`W
zwgXl5on_i_55__%Eh(dC=rgtx_KN+B<@_Jp(MKiW${Log)es`si4s!030Z?T6C<CU
zvd%s}_g%~Jce2K!2IZ(&WS}YJ_V$nF(3(%S>)UvBet(-jlIR1CVP<C1B~Zj{5V0Wo
zC)2I2ol~B>)88{oWU9)2`f!P@&1`H3*Imv@`XKG~R|6Tf0H^#`Ke-P2u~-1<0)2#R
z=D|uD+@iH(f$T$h5asH1Vs91rw-&wT+W`Mg9s&GI(cD;3@Gq$hi|Qp0^O@~z0Q}4R
zRt5e=%YRkiUj_ap>gDpNUT0(AUwjQO3;wO^NVpmfn4qR44w$H4QW(mb8^i%6UKMt;
z3=Fs|kdTdb-7R9qMUuV*PseyIe?!=s&il6I!8!PCv}!0D@nRa@QK_?Bd8sP{Kll@p
zm#?R%ui>2II^)y#aQ1xldQbetUYnECk8}b@<9~bKWUmbdt76o>QG(F;Z0t_FJ$X$=
zE_;vC1X!L23*~0(lqU_~f4<%`PSMW@4_X$#BT6nva$xIhiqRAClI;k?$>D2r0$(3d
zG&#rf4I9Mqc=z=lbno@v^z_C75;D{p3gVaSHhf{`#P0nNa;PX#zcdt04dGYxuRLaP
z_<sT@6iEi<BO;R0nYkuUo?<yXCkiDUf_7vsM0e)#NM?eEP{`1D$fl$#7T&QHM;koq
z&@xwr@a~lD-q-O|b8p%<r3!;D@dT0TQ;0Co$GL6+9mBk8)^9w#9yXjg!)JYW?xVZ|
zV(|x3xT{8AGSJn`r0!zwAoi-ESV<MU;D7VSX_@f|fr2LVLBlj@lB7EI7V!gj%AL{%
zbI*4tjHK=qGq7+EkGTU2{WG;erxqq8jYtTojiv0cYvaGRb$SK!$<AzO<m&8w<EQJ_
zd+?CIx&|_aSC}<Jd-yX9<IG@Z7wp=H?O~$5`nxwUY#8hdhhKPR{M4qExVX6H*MHY`
z?ks~{o^fB5nk=!$dle4mCkLdZ{eX)kT-YD+=;mT#Fq0<&eU%*Kj}iXC<SUd1lk698
zKz@+v#YV0TOhb!MYn2~<(bXpO;!$<+tENR<C1e8dYYNj43LjlxLT7@tH#Y1&A<!H6
z)F$ZOup2OPz-qu@SNtt4BVZVxGk*(Z%Hy$7DU85yXz}d^{u-m(4n`ED3~F*80@jC(
z`c-1u6UztI3m1)jyffZ+?@VptE@50K;~K>><O@iEaRy)Q88i67#7l-Sa$J8%T@d7h
zgn<j~2g-Ft<@th~iwuOaxoe34h8XW#=u9ZEZPiiSDbN)%TnpR;6X6UX+JEwS!bps6
zior7t$Hz#B6RgHR4ueS=kOEdr_E*?pvGF<&*XhGIXLHad*uNW->7Ue5@*f=bPD%+`
z-_!P*W?hk~8vTHc>Sfwtp%}KVl{yIvU5QbMG!k|vOV$zhO8F1mc!|3OmsJLeL6+Qm
ziBp4Y@fm4SvE9%eq%|+MLVwyTd3P5nwu@AfY~@pSB3`h7-dVWnfU7~Tt;v{qvjOXF
z%VC)r_q$`@$ax>V_C!M@CeCOZrhgl9boV9(><zO$SctC2-}U6XUGHwZ4NN@rZ@b$^
z?dg|oc59-f5PzK(JX2(!Sh8S`1y#~vgB-Y^6iiSa9*CSN)8T+T7=NJn@jvphjN^Wp
zV}7aQecrLY^l?5yjlLHqNaA}BjqKLh`?s<0!v5l8<dLlcrd`P^QiesFq9WPMoUv1+
zTU0YnhH?uL=b2^_-^s^uB@t5Mmm=a`R63U>nx*<LtFNQ~a!c}XODaQzAu3|M!E$uy
zO*}nX4pyb*;OWqExPK}whfjx=)~d9$o(?VPiN{LN(tbL$q{kU9K}+Z9(2^eGpad;P
zPluLt_wN$496ude(ydt~XgPU0v^4iuC5E@~M5tMP>wiLfe{<!{zxjlA|K`fufAb0L
z|IL*ZfaVj@0GcbS0L_(jfW@u`Wi6HEgg}agZY3G8URuhDfPWNPR+0egrKOwzNTFq=
z^}k+P$}RsCT2@;9>!qdK;!mOF39bEd`hN;7E9w91rKOzypF+z@`u}=qDX0IZ(6W;L
zzg}9(>Hm2iApE~Vo=PKY=J{9LVc{*m!XunGI*o&fPvMsG2HA>Xp&Do#KK@m&Dy~?h
z!LK5laJ)@;^ERHx>;yt1gz1#XUqh1C<^Gv}AB#TDsoZks{&ep1yFvf_PtdLZ2T)4^
s0u%rg000080JwoGlZL}W4ODw8R|fyTqAaWc0A-Wa!!`zi!vFvP0Ir86C;$Ke

diff --git a/Solutions/Web Session Essentials/Package/mainTemplate.json b/Solutions/Web Session Essentials/Package/mainTemplate.json
index 0d44d401348..946250ccf3a 100644
--- a/Solutions/Web Session Essentials/Package/mainTemplate.json	
+++ b/Solutions/Web Session Essentials/Package/mainTemplate.json	
@@ -988,7 +988,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is <b>optional</b>, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_DstIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_ThreatInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | distinct SrcUsername=SrcUsername_s\\r\\n        )\\r\\n    | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | distinct SiteName\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | distinct SiteName = DestDomain_s\\r\\n        )\\r\\n    | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'WebServerSession'\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'WebServerSession'\\r\\n    | project\\r\\n        EventResultDetails= EventResultDetails_s,\\r\\n        EventTime = EventTime_t,\\r\\n        EventCount = EventCount_d,\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n      and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n      and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n      and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n    ) on DstHostname\\r\\n    | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n    | order by DataReceived desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n    Url,\\r\\n    SrcIpAddr,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname,\\r\\n    TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n    EventCount=count(),\\r\\n    EventStartTime=min(TimeGenerated),\\r\\n    EventEndTime=max(TimeGenerated)\\r\\n    by\\r\\n    SrcIpAddr,\\r\\n    Url,\\r\\n    FileWithdualextension,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventResult = EventResult_s\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n    | extend\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s,\\r\\n        SrcBytes = SrcBytes_d,\\r\\n        DstBytes = DstBytes_d\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventType)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n        | where isnotempty(EventType)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent),  DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n    | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            TimeGenerated=EventTime_t,\\r\\n            DestDomain=DestDomain_s,\\r\\n            EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n    | summarize RequestCount=sum(RequestCount) by User\\r\\n    | join kind=inner (WebData\\r\\n        | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n        on User\\r\\n    | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n         WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataSent = sum(DataSent) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n    | order by DataSentinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n    | order by DataReceivedinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            SrcBytes= SrcBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            DstBytes= DstBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n     | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Success'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Failure'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n        | extend ThreatName = ThreatName_s\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatName))\\r\\n    | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatCategory = ThreatCategory_s\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatCategory))\\r\\n    | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatRiskLevel_d > 60\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n        )\\r\\n    | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n    | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n    | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(ThreatOriginalConfidence_d) > 0\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        )\\r\\n    | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n    | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n    | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventSeverity_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity=EventSeverity_s\\r\\n        )\\r\\n    | distinct EventSeverity\\r\\n    | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n    | extend Result=case(\\r\\n                               EventSeverity has 'High',\\r\\n                               'High',\\r\\n                               EventSeverity has 'Medium',\\r\\n                               'Medium',\\r\\n                               EventSeverity has 'Low',\\r\\n                               'Low',\\r\\n                               EventSeverity has 'Informational',\\r\\n                               'Informational',\\r\\n                               EventSeverity\\r\\n                           )\\r\\n    | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t  | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n      | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true  \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatOriginalConfidence_d > 0\\r\\n        | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n      | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where not(ipv4_is_private(DstIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = DstIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    )\\r\\n    | distinct PublicIPAddress;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(DestHostname)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n    )\\r\\n    | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where isnotempty(DstIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DstIpAddr_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    )\\r\\n    | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n    SecurityAlert\\r\\n    | where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'ip'\\r\\n    | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n    | project-away Parsed_Entities\\r\\n    | where IPEntity in~ (AllIPs)\\r\\n    | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DestHostname = DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'url'\\r\\n    | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n    | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'host'\\r\\n    | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n    | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is <b>optional</b>, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_SrcIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_DstIP_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n    union isfuzzy=true \\r\\n        (\\r\\n            WebSession_Summarized_ThreatInfo_CL\\r\\n                | where EventTime_t >= {TimeRange:start}\\r\\n                | summarize max_TimeGenerated=max(EventTime_t)\\r\\n                | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n        ),\\r\\n        (\\r\\n            print({TimeRange:start})\\r\\n            | extend max_TimeGenerated = print_0\\r\\n            | project max_TimeGenerated\\r\\n        )\\r\\n        | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n    );\\r\\n    print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | distinct SrcUsername=SrcUsername_s\\r\\n        )\\r\\n    | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | distinct SiteName\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | distinct SiteName = DestDomain_s\\r\\n        )\\r\\n    | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize Count = sum(EventCount)\\r\\n    | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'WebServerSession'\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'WebServerSession'\\r\\n    | project\\r\\n        EventResultDetails= EventResultDetails_s,\\r\\n        EventTime = EventTime_t,\\r\\n        EventCount = EventCount_d,\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s\\r\\n    | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n    | where toint(EventResultDetails) between (400 .. 599)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true\\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n        | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'WebServerSession'\\r\\n        | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n        | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n        | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n      and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n      and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n      and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n    )\\r\\n    on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where EventType =~ 'WebServerSession'\\r\\n        | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n     and ('*' in~ ({SrcUsername}))\\r\\n     and ('*' in~ ({SrcHostname}))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n    ) on DstHostname\\r\\n    | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n    | order by DataReceived desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n    Url,\\r\\n    SrcIpAddr,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname,\\r\\n    TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n    EventCount=count(),\\r\\n    EventStartTime=min(TimeGenerated),\\r\\n    EventEndTime=max(TimeGenerated)\\r\\n    by\\r\\n    SrcIpAddr,\\r\\n    Url,\\r\\n    FileWithdualextension,\\r\\n    SrcUsername,\\r\\n    SrcHostname,\\r\\n    DstIpAddr,\\r\\n    DstPortNumber,\\r\\n    DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    ),\\r\\n    (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n    )\\r\\n    | summarize count() by SrcIpAddr, DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(EventProduct)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventProduct=EventProduct_s\\r\\n        )\\r\\n    | distinct EventProduct\\r\\n    | count\\r\\n    | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(SrcUsername)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcUsername_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcUsername\\r\\n        )\\r\\n    | distinct SrcUsername\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcIpAddr=SrcIpAddr_s\\r\\n        )\\r\\n    | distinct SrcIpAddr\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n        )\\r\\n    | distinct DestHostname\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotempty(HttpUserAgent_s)\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}))\\r\\n        | distinct HttpUserAgent=HttpUserAgent_s\\r\\n        )\\r\\n    | distinct HttpUserAgent\\r\\n    | count\\r\\n    | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventProduct = EventProduct_s\\r\\n        | where isnotempty(EventProduct)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventResult = EventResult_s\\r\\n        | where isnotempty(EventResult)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n    | extend\\r\\n        SrcIpAddr=SrcIpAddr_s,\\r\\n        DestHostname=DestDomain_s,\\r\\n        SrcUsername=SrcUsername_s,\\r\\n        SrcHostname=SrcHostname_s,\\r\\n        SrcBytes = SrcBytes_d,\\r\\n        DstBytes = DstBytes_d\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n    | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotempty(EventType)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n        | where isnotempty(EventType)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where EventType =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where EventType_s =~ 'HTTPsession'\\r\\n        | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent),  DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n    | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n    | where EventType =~ 'HTTPsession'\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n         and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n         and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n         and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_SrcIP_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            TimeGenerated=EventTime_t,\\r\\n            DestDomain=DestDomain_s,\\r\\n            EventCount=EventCount_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DestDomain)\\r\\n        | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n    | summarize RequestCount=sum(RequestCount) by User\\r\\n    | join kind=inner (WebData\\r\\n        | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n        on User\\r\\n    | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n         WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User)\\r\\n         | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DstDomain),DstDomain\\r\\n                        , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\"\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n        | extend Website = case(\\r\\n                        isnotempty(DestHostname),DestHostname\\r\\n                        ,\\\"NA\\\"\\r\\n                            )\\r\\n        | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by  Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataSent = sum(DataSent) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n    | order by DataSentinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n     | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project  SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n        | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n        | where isnotempty(User) and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n     and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n     and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n     and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n    )\\r\\n    | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n    WebData\\r\\n    | summarize DataReceived = sum(DataReceived) by User\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n    ) on User\\r\\n    | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n    | order by DataReceivedinMB desc\\r\\n    | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            SrcBytes= SrcBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DstDomain),\\r\\n                       DstDomain\\r\\n            ,\\r\\n                       isnotempty(Url),\\r\\n                       tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            SrcIpAddr=SrcIpAddr_s,\\r\\n            EventResultDetails=EventResultDetails_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            SrcUsername=SrcUsername_s,\\r\\n            SrcHostname=SrcHostname_s,\\r\\n            DestHostname=DestDomain_s,\\r\\n            DstBytes= DstBytes_d\\r\\n        | extend Website = case(\\r\\n                       isnotempty(DestHostname),\\r\\n                       DestHostname\\r\\n            ,\\r\\n                       \\\"NA\\\"\\r\\n                   )\\r\\n        | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n        | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n    )\\r\\n    on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n        _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpReferrer)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n            and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n            and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n            and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n    ;\\r\\n    WebData\\r\\n    | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n    | join kind=inner (WebData\\r\\n     | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n    ) on HttpReferrer\\r\\n    | project HttpReferrer, EventCount, Trend\\r\\n    | order by EventCount desc\\r\\n    | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n        | project UrlCategory, TimeGenerated\\r\\n        | where isnotempty(UrlCategory)\\r\\n        | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n        | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Success'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData =    \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n        | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n        | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project\\r\\n            HttpUserAgent=HttpUserAgent_s,\\r\\n            EventCount=EventCount_d,\\r\\n            EventTime=EventTime_t,\\r\\n            EventResult=EventResult_s\\r\\n        | where isnotempty(HttpUserAgent)\\r\\n            and HttpUserAgent != 'Unknown'\\r\\n            and EventResult =~ 'Failure'\\r\\n        | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n        )\\r\\n    | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n    | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n    )\\r\\n    on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n        | extend ThreatName = ThreatName_s\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatName))\\r\\n    | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatCategory = ThreatCategory_s\\r\\n        )\\r\\n    | summarize Result=tostring(dcount(ThreatCategory))\\r\\n    | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatRiskLevel_d > 60\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n        )\\r\\n    | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n    | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n    | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where toint(ThreatOriginalConfidence_d) > 0\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        )\\r\\n    | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n    | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n    | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity\\r\\n        ),\\r\\n        (  \\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(EventSeverity_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct EventSeverity=EventSeverity_s\\r\\n        )\\r\\n    | distinct EventSeverity\\r\\n    | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n    | extend Result=case(\\r\\n                               EventSeverity has 'High',\\r\\n                               'High',\\r\\n                               EventSeverity has 'Medium',\\r\\n                               'Medium',\\r\\n                               EventSeverity has 'Low',\\r\\n                               'Low',\\r\\n                               EventSeverity has 'Informational',\\r\\n                               'Informational',\\r\\n                               EventSeverity\\r\\n                           )\\r\\n    | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n    (\\r\\n    _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n    WebSession_Summarized_ThreatInfo_CL\\r\\n    | where EventTime_t >= {TimeRange:start}\\r\\n    | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n    | where ThreatCategory !in~ (exludeString)\\r\\n    | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n    | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t  | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n      | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true  \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ThreatRiskLevel > 60\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t  | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n        | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n        | where ThreatOriginalConfidence > 0\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_ThreatInfo_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where ThreatOriginalConfidence_d > 0\\r\\n        | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n      | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n    )\\r\\n    | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where not(ipv4_is_private(SrcIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = SrcIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where not(ipv4_is_private(DstIpAddr))\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | extend PublicIPAddress = DstIpAddr\\r\\n        | where PublicIPAddress != ''\\r\\n        | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n    )\\r\\n    | distinct PublicIPAddress;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where isnotempty(DestHostname)\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcIpAddr_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n    )\\r\\n    | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n        | where isnotempty(DstIpAddr)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DstIpAddr_s)\\r\\n        | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n    )\\r\\n    | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n    SecurityAlert\\r\\n    | where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'ip'\\r\\n    | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n    | project-away Parsed_Entities\\r\\n    | where IPEntity in~ (AllIPs)\\r\\n    | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n    (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(Url)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    ),\\r\\n    (\\r\\n        WebSession_Summarized_DstIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(DestDomain_s)\\r\\n        | extend DestHostname = DestDomain_s\\r\\n        | where ('*' in~ ({SrcIpAddr}))\\r\\n        and ('*' in~ ({SrcUsername}))\\r\\n        and ('*' in~ ({SrcHostname}))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct DestHostname\\r\\n    )\\r\\n    | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'url'\\r\\n    | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n    | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n    union isfuzzy=true \\r\\n        (\\r\\n        _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n        | where isnotempty(SrcHostname)\\r\\n        | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname\\r\\n        ),\\r\\n        (\\r\\n        WebSession_Summarized_SrcIP_CL\\r\\n        | where EventTime_t >= {TimeRange:start}\\r\\n        | where isnotempty(SrcHostname_s)\\r\\n        | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n        | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n        and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n        and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n        and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n        | distinct SrcHostname=SrcHostname_s\\r\\n        )\\r\\n    | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n    | extend Parsed_Entities = parse_json(Entities)\\r\\n    | mv-expand Parsed_Entities\\r\\n    | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n    | where Parsed_EntityType =~ 'host'\\r\\n    | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n    | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"