diff --git a/Solutions/KQL Training/Package/3.0.0.zip b/Solutions/KQL Training/Package/3.0.0.zip
index 7b8bb88892f..a4f37478721 100644
Binary files a/Solutions/KQL Training/Package/3.0.0.zip and b/Solutions/KQL Training/Package/3.0.0.zip differ
diff --git a/Solutions/KQL Training/Package/createUiDefinition.json b/Solutions/KQL Training/Package/createUiDefinition.json
index 68a78288b31..7588741de61 100644
--- a/Solutions/KQL Training/Package/createUiDefinition.json	
+++ b/Solutions/KQL Training/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KQL Training/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe KQL Training solution for Microsoft Sentinel contains resources that can help up – skill on understanding the fundamentals and using KQL in advanced scenarios like authoring effective and optimized queries used in Sentinel Analytics, Hunting Queries, Workbooks, etc. \n\nAll content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an [issue](https://github.com/Azure/Azure-Sentinel/issues) on the Microsoft Sentinel GitHub repository.\n\n**Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KQL Training/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe KQL Training solution for Microsoft Sentinel contains resources that can help up – skill on understanding the fundamentals and using KQL in advanced scenarios like authoring effective and optimized queries used in Microsoft Sentinel Analytics, Hunting Queries, Workbooks, etc. \n\nAll content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an [issue](https://github.com/Azure/Azure-Sentinel/issues) on the Microsoft Sentinel GitHub repository.\n\n**Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/KQL Training/Package/mainTemplate.json b/Solutions/KQL Training/Package/mainTemplate.json
index 6c8ad20b018..e14c691f651 100644
--- a/Solutions/KQL Training/Package/mainTemplate.json	
+++ b/Solutions/KQL Training/Package/mainTemplate.json	
@@ -166,7 +166,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"345358d7-fa59-4e01-80ff-fd274e78d073\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"github\",\"label\":\"Github Repository\",\"type\":1,\"description\":\"This is the github repository we will use. Generally you won't change this\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"Azure/Azure-Sentinel/master/Tools/IntrotoKQL\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1b617550-b934-46a2-9a71-e48ef40aab00\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllExercises\",\"type\":1,\"query\":\"externaldata (tab:string, section:string, exercises:dynamic, markdown:string) [\\r\\n    @'https://raw.githubusercontent.com/{github}/all_exercises.json'\\r\\n] with (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e397ee05-93c3-42be-9560-80bc6b6bc178\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"json\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://raw.githubusercontent.com/{github}/all_exercises.json\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"ignoreStandardHeaders\\\":true}\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"json\"},\"queryType\":10},{\"id\":\"451a0851-dea1-4c88-886a-ed9736612ccb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllDatasets\",\"type\":1,\"isGlobal\":true,\"query\":\"externaldata (tables:string) [\\r\\n@\\\"https://raw.githubusercontent.com/{github}/Datasets/all_datasets.json\\\"\\r\\n]\\r\\nwith (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":10},\"name\":\"parameters - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ccd64330-9dc6-4388-b618-d20767f2f962\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Welcome\",\"subTarget\":\"Welcome\",\"style\":\"link\"},{\"id\":\"589778dd-4b96-4c61-a58c-eb32f5e43c41\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"09338df5-091b-46d4-9fee-63b69cb4ee76\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Scalar Operators\",\"subTarget\":\"Scalar\",\"style\":\"link\"},{\"id\":\"e536ef91-d9ea-413f-96dd-357b47ac21fb\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Aggregations\",\"subTarget\":\"Advanced\",\"style\":\"link\"},{\"id\":\"f7f6fefd-09cc-4c02-8b94-071d85ee892a\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dataset Operators\",\"subTarget\":\"Dataset\",\"style\":\"link\"},{\"id\":\"14e62080-54b6-4194-b7e5-d5bcb22d4621\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"External Data\",\"subTarget\":\"External\",\"style\":\"link\"},{\"id\":\"7cdfef8c-7c30-4c46-9d6e-0c6f91d0886e\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"String Operators\",\"subTarget\":\"String\",\"style\":\"link\"},{\"id\":\"2e2c5a51-b3cc-4812-9235-bf1da9c42ed7\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Anomaly Operators\",\"subTarget\":\"Anomalies\",\"style\":\"link\"},{\"id\":\"084b5b60-1666-4d85-a580-cc37bcd17027\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Misc. Operators\",\"subTarget\":\"Misc\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Welcome!\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Summary\\r\\nWelcome to the Intro to KQL workbook. This workbook has been developed to assist new and existing users learn and grow in the Kusto Query Language (KQL). The goal of this workbook is to introduce the most commonly used KQL operators that are relevant to Microsoft Sentinel. By the end of the workbook, your knowledge will be at a 200 level. </br>\\r\\n\\r\\nThis workbook will be a living resource in that it will continue to be improved over time based on feedback, requests, and newly introduced scenarios. The version of this workbook is currently <b>V1.1.</b>\\r\\n</p>\\r\\n\\r\\n### Structure\\r\\nThis workbook is comprised of multiple tabs. Each tab contains several key items:\\r\\n- Operator: choose an operator to study.\\r\\n- Exercise: choose an exercise to practice.\\r\\n- Data type: corresponds to the data table that is being used in the exercise.\\r\\n- Answer: decide if you would like to to see the answer.\\r\\n- Summary: details about the operator that has been selected.\\r\\n- Example: samples of how a real query would look like with the selected operator.\\r\\n- When to use: advice around when the selected operator is used with Microsoft Sentinel.\\r\\n\\r\\n#### Exercise Space\\r\\nThe exercise area is made up of 6 main items:\\r\\n- Question: selected exercise to perform.\\r\\n- Answer space: location where you will enter your answer.\\r\\n- Expected answer: the expected answer that you are attempting to achieve.\\r\\n- Your answer: the results from the query you have written.\\r\\n- Answer Checker: lists if the answer you have entered is correct or not.\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Workflow\\r\\n\\r\\n1. Select a tab to navigate.\\r\\n2. Choose an operator to practice.\\r\\n3. Select an exercise to attempt.\\r\\n4. Enter your answer and confirm if it is correct. If not, reference documentation and content until correct.\\r\\n5. Move on to another operator or attempt other exercises for that operator.\\r\\n\\r\\n### Helpful Links\\r\\n\\r\\n**KQL Public Documentation:** https://docs.microsoft.com/azure/data-explorer/kusto/query/\\r\\n\\r\\n**Pluralsight KQL Course:** https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch\\r\\n\\r\\n**KQL CheatSheet:** https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-kql-cheat-sheets/ba-p/1057404\\r\\n\\r\\n**Log Analytics Demo Environment:** https://aka.ms/lademo\\r\\n\\r\\n**Microsoft Sentinel Compiled Level 400 Training:** https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Welcome\"},\"name\":\"Welcome\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ad61717-0dd7-430b-a948-cef2d3618738\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Section\",\"label\":\"Select Section\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where tab == \\\"{Tab}\\\"\\r\\n| distinct section\\r\\n| serialize Rank = row_number()\\r\\n| project value = section, label = section, selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\"},{\"id\":\"0c106e37-c059-4b2b-a80d-c4119629d1a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Exercise\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where section == \\\"{Section}\\\" and tab == \\\"{Tab}\\\"\\r\\n| mvexpand exercises=(exercises.value)\\r\\n| evaluate bag_unpack(exercises)\\r\\n| extend packed = pack_all()\\r\\n| serialize Rank = row_number()\\r\\n| project\\r\\n    value = tostring(packed),\\r\\n    label = name,\\r\\n    selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b2ae8bac-db12-4c75-8d3e-42c002d288d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dataset\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"let exercise = todynamic(\\\"{Exercise:escapejson}\\\");\\r\\nlet dataset = iff( isempty(exercise.dataset), \\\"Weather\\\", exercise.dataset);\\r\\ndatatable(tables:string)[\\\"{AllDatasets:escapejson}\\\"]\\r\\n| mvexpand todynamic(tables)\\r\\n| evaluate bag_unpack(tables)\\r\\n| extend kql = base64_decode_tostring(kql_reference)\\r\\n| serialize Rank = row_number()\\r\\n| project value = kql, label = name, selected = iff(name == dataset, true, false)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2f5c56e7-dee3-46e7-b699-e331079e1d47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Question\",\"type\":1,\"isGlobal\":true,\"query\":\"print(todynamic(\\\"{Exercise:escapejson}\\\").question)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e5be7ed3-5eed-4b66-9db7-a0c2c132783b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Answer\",\"type\":1,\"isGlobal\":true,\"query\":\"let answer = todynamic(\\\"{Exercise:escapejson}\\\").answer;\\r\\nprint(base64_decode_tostring(tostring(answer)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d4ecbbf3-25a0-4130-bc7d-50edead67b01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Markdown\",\"type\":1,\"query\":\"let markdown = todynamic(\\\"{Exercise:escapejson}\\\").markdown;\\r\\nprint(base64_decode_tostring(tostring(markdown)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c94574f-3e3d-4d73-bed8-3eeebed298d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowDoc\",\"label\":\"Show Documentation\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": false}\\r\\n]\",\"value\":\"No\"},{\"id\":\"ad9dc5ed-16a0-4157-88a2-bfe937e34e3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowAnswer\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"label\":\"Show Answer\"},{\"id\":\"4f9a31b5-1f75-42af-85a7-c96af37a0d0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LetDetected\",\"type\":1,\"query\":\"let result = iff(\\\"{Section}\\\" in ('Let','Union', 'Parse', 'Materialize', 'Function'), true, false);\\r\\nprint(result)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Error\",\"label\":\"Seeing Error\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"id\":\"9edc3ceb-a3a7-42bd-8ce1-e7ad666934e4\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"100\",\"name\":\"parameters - 4 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Fixing the Error\\r\\n\\r\\nThe error you are seeing is due to workbooks in Azure requiring external data sources to be marked as trusted. As this workbook pulls all of its content from GitHub, the repository must be marked as trusted. This is on a user session level and cannot be set within the workbook template. To fix the error:\\r\\n\\r\\n1. Go into edit mode.\\r\\n2. Under the hidden parameters at the top of the page, click edit.\\r\\n3. Check the box next to json.\\r\\n4. Click on the edit pencil icon.\\r\\n5. Click 'run query'.\\r\\n6. Click 'mark as trusted'.\\r\\n7. Click save.\\r\\n8. Exit edit mode.\\r\\n\\r\\nThe error should be gone and the content will be loaded.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Error\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"The Kusto Query Language is the query language of choice within Microsoft Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\\r\\n\\r\\nTable | operator clause/predicate\\r\\n\\r\\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.\",\"style\":\"success\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"}],\"name\":\"Welcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Section} - Exercise: {Exercise:label}\\r\\n\\r\\n{Markdown}\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"NotWelcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"<p>\\r\\n![Question](https://shields.io/badge/-Question-informational)\\r\\n<br>{Question}\\r\\n</p>\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"<h3>Answer</h3>\\r\\n\\r\\n```\\r\\n{Answer}\\r\\n```\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowAnswer\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Question\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"341ea875-d1ff-4cbc-a9f6-421eeb82368c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Query\",\"type\":1,\"description\":\"Enter KQL query here to answer\",\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"kql\",\"multiLineHeight\":7},\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Dataset:label} | limit 10\"}}],\"timeContext\":{\"durationMs\":86400000},\"label\":\"Put your answer here\"}],\"style\":\"formVertical\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"QueryControl\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Results\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Answer}\",\"size\":1,\"title\":\"Expected Results\",\"noDataMessage\":\"Had trouble producing the expected answer\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"customWidth\":\"40\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HTarget\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Query}\",\"size\":1,\"title\":\"Your answer\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}},{\"columnMatch\":\"code\",\"formatter\":5},{\"columnMatch\":\"message\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}}],\"rowLimit\":500},\"customWidth\":\"45\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HResult\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let get_table_hash = (t:(*)) {\\r\\n    t\\r\\n    | project packed = pack_all()\\r\\n    | summarize list = make_list(packed)\\r\\n    | project hashvalue = hash(tostring(list))\\r\\n};\\r\\nlet check_tables_match = (table1:(*), table2:(*)) {\\r\\n    get_table_hash(table1)\\r\\n    | join get_table_hash(table2) on hashvalue\\r\\n    | project match = iff(hashvalue == hashvalue1, true, false)\\r\\n};\\r\\nlet {Dataset:label} = () {{Dataset}};\\r\\nlet answer = {Query};\\r\\nlet correctAnswer = {Answer};\\r\\ncheck_tables_match(answer, correctAnswer)\",\"size\":4,\"noDataMessage\":\"Answer does not seem to be correct\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"match\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"Answer is Correct\"}]}}],\"rowLimit\":500},\"graphSettings\":{\"type\":0}},\"customWidth\":\"15\",\"conditionalVisibilities\":[{\"parameterName\":\"Query\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},{\"parameterName\":\"Answer\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LetDetected\",\"comparison\":\"isEqualTo\"}],\"name\":\"Result\"},{\"type\":1,\"content\":{\"json\":\"This exercise includes use of a let statement which cannot be evaluated. Please manually validate if your answer matches the expected results\",\"style\":\"warning\"},\"customWidth\":\"15\",\"conditionalVisibility\":{\"parameterName\":\"LetDetected\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"Results\"},{\"type\":1,\"content\":{\"json\":\"Set the path to the Advanced KQL workbook in your environment. </br>\\r\\n\\r\\nNote: If nothing is within the drop-down, you do not have the workbook deployed in your environment. You can find the workbook within the workbook gallery.\",\"style\":\"info\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"String\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Anomalies\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Misc\"}],\"customWidth\":\"50\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"ed7e252c-2ae9-4be5-9e80-267b0274a9d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdvancedKQLWorkbookPath\",\"type\":2,\"query\":\"resources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.displayName has 'advanced KQL for microsoft sentinel'\\r\\n| extend path = trim('[]', id)\\r\\n| project path\\r\\n| take 1\",\"crossComponentResources\":[\"value::selected\"],\"value\":\"\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"parameters - 10\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"173f69f1-a9c0-4ebc-a497-3e7354a32236\",\"cellValue\":\"{AdvancedKQLWorkbookPath}\",\"linkTarget\":\"Resource\",\"linkLabel\":\"Advanced KQL Framework\",\"subTarget\":\"Workbook\",\"preText\":\"If you would like to study more advanced topics:\",\"style\":\"primary\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"parameter\",\"componentId\":\"AdvancedKQLPath\",\"resourceIdsSource\":\"parameter\",\"resourceIds\":\"AdvancedKQLPath\",\"templateIdSource\":\"parameter\",\"templateId\":\"AdvancedKQLPath\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\"}},{\"id\":\"690a89fe-5c1d-4313-b442-ce059670840f\",\"cellValue\":\"https://aka.ms/lademo\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"ALA Demo\",\"preText\":\"If you would like to test any of the lessons learned, you can use the ALA Demo workspace here: \",\"style\":\"primary\",\"linkIsContextBlade\":true,\"bladeOpenContext\":{\"bladeName\":\"DemoLogsBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring_Logs\"}},{\"id\":\"295f7752-374b-4680-b281-c5cb8b83d384\",\"cellValue\":\"https://aka.ms/introtokqlsurvey\",\"linkTarget\":\"Url\",\"linkLabel\":\"Feedback Form\",\"preText\":\"If you would like to submit feedback for this solution, please click on the form link here: \",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"links - 9\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"IntrotoKQL\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"345358d7-fa59-4e01-80ff-fd274e78d073\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"github\",\"label\":\"Github Repository\",\"type\":1,\"description\":\"This is the github repository we will use. Generally you won't change this\",\"isRequired\":true,\"isGlobal\":true,\"value\":\"Azure/Azure-Sentinel/master/Tools/IntrotoKQL\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1b617550-b934-46a2-9a71-e48ef40aab00\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllExercises\",\"type\":1,\"query\":\"externaldata (tab:string, section:string, exercises:dynamic, markdown:string) [\\r\\n    @'https://raw.githubusercontent.com/{github}/all_exercises.json'\\r\\n] with (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e397ee05-93c3-42be-9560-80bc6b6bc178\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"json\",\"type\":1,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://raw.githubusercontent.com/{github}/all_exercises.json\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"ignoreStandardHeaders\\\":true}\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"json\"},\"queryType\":10},{\"id\":\"451a0851-dea1-4c88-886a-ed9736612ccb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AllDatasets\",\"type\":1,\"isGlobal\":true,\"query\":\"externaldata (tables:string) [\\r\\n@\\\"https://raw.githubusercontent.com/{github}/Datasets/all_datasets.json\\\"\\r\\n]\\r\\nwith (format=\\\"multijson\\\")\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":10},\"name\":\"parameters - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ccd64330-9dc6-4388-b618-d20767f2f962\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Welcome\",\"subTarget\":\"Welcome\",\"style\":\"link\"},{\"id\":\"589778dd-4b96-4c61-a58c-eb32f5e43c41\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"style\":\"link\"},{\"id\":\"09338df5-091b-46d4-9fee-63b69cb4ee76\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Scalar Operators\",\"subTarget\":\"Scalar\",\"style\":\"link\"},{\"id\":\"e536ef91-d9ea-413f-96dd-357b47ac21fb\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Aggregations\",\"subTarget\":\"Advanced\",\"style\":\"link\"},{\"id\":\"f7f6fefd-09cc-4c02-8b94-071d85ee892a\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dataset Operators\",\"subTarget\":\"Dataset\",\"style\":\"link\"},{\"id\":\"14e62080-54b6-4194-b7e5-d5bcb22d4621\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"External Data\",\"subTarget\":\"External\",\"style\":\"link\"},{\"id\":\"7cdfef8c-7c30-4c46-9d6e-0c6f91d0886e\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"String Operators\",\"subTarget\":\"String\",\"style\":\"link\"},{\"id\":\"2e2c5a51-b3cc-4812-9235-bf1da9c42ed7\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Anomaly Operators\",\"subTarget\":\"Anomalies\",\"style\":\"link\"},{\"id\":\"084b5b60-1666-4d85-a580-cc37bcd17027\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Misc. Operators\",\"subTarget\":\"Misc\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Welcome!\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Summary\\r\\nWelcome to the Intro to KQL workbook. This workbook has been developed to assist new and existing users learn and grow in the Kusto Query Language (KQL). The goal of this workbook is to introduce the most commonly used KQL operators that are relevant to Microsoft Sentinel. By the end of the workbook, your knowledge will be at a 200 level. </br>\\r\\n\\r\\nThis workbook will be a living resource in that it will continue to be improved over time based on feedback, requests, and newly introduced scenarios. The version of this workbook is currently <b>V1.1.</b>\\r\\n</p>\\r\\n\\r\\n### Structure\\r\\nThis workbook is comprised of multiple tabs. Each tab contains several key items:\\r\\n- Operator: choose an operator to study.\\r\\n- Exercise: choose an exercise to practice.\\r\\n- Data type: corresponds to the data table that is being used in the exercise.\\r\\n- Answer: decide if you would like to to see the answer.\\r\\n- Summary: details about the operator that has been selected.\\r\\n- Example: samples of how a real query would look like with the selected operator.\\r\\n- When to use: advice around when the selected operator is used with Microsoft Sentinel.\\r\\n\\r\\n#### Exercise Space\\r\\nThe exercise area is made up of 6 main items:\\r\\n- Question: selected exercise to perform.\\r\\n- Answer space: location where you will enter your answer.\\r\\n- Expected answer: the expected answer that you are attempting to achieve.\\r\\n- Your answer: the results from the query you have written.\\r\\n- Answer Checker: lists if the answer you have entered is correct or not.\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### Workflow\\r\\n\\r\\n1. Select a tab to navigate.\\r\\n2. Choose an operator to practice.\\r\\n3. Select an exercise to attempt.\\r\\n4. Enter your answer and confirm if it is correct. If not, reference documentation and content until correct.\\r\\n5. Move on to another operator or attempt other exercises for that operator.\\r\\n\\r\\n### Helpful Links\\r\\n\\r\\n**KQL Public Documentation:** https://docs.microsoft.com/azure/data-explorer/kusto/query/\\r\\n\\r\\n**Pluralsight KQL Course:** https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch\\r\\n\\r\\n**KQL CheatSheet:** https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-kql-cheat-sheets/ba-p/1057404\\r\\n\\r\\n**Log Analytics Demo Environment:** https://aka.ms/lademo\\r\\n\\r\\n**Microsoft Sentinel Compiled Level 400 Training:** https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Welcome\"},\"name\":\"Welcome\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ad61717-0dd7-430b-a948-cef2d3618738\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Section\",\"label\":\"Select Section\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where tab == \\\"{Tab}\\\"\\r\\n| distinct section\\r\\n| serialize Rank = row_number()\\r\\n| project value = section, label = section, selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\"},{\"id\":\"0c106e37-c059-4b2b-a80d-c4119629d1a9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Exercise\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"print tab = todynamic({json:value})\\r\\n| mvexpand parse_json(tab)\\r\\n| evaluate bag_unpack(tab)\\r\\n| where section == \\\"{Section}\\\" and tab == \\\"{Tab}\\\"\\r\\n| mvexpand exercises=(exercises.value)\\r\\n| evaluate bag_unpack(exercises)\\r\\n| extend packed = pack_all()\\r\\n| serialize Rank = row_number()\\r\\n| project\\r\\n    value = tostring(packed),\\r\\n    label = name,\\r\\n    selected = iff(Rank == 1, true, false)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b2ae8bac-db12-4c75-8d3e-42c002d288d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dataset\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"let exercise = todynamic(\\\"{Exercise:escapejson}\\\");\\r\\nlet dataset = iff( isempty(exercise.dataset), \\\"Weather\\\", exercise.dataset);\\r\\ndatatable(tables:string)[\\\"{AllDatasets:escapejson}\\\"]\\r\\n| mvexpand todynamic(tables)\\r\\n| evaluate bag_unpack(tables)\\r\\n| extend kql = base64_decode_tostring(kql_reference)\\r\\n| serialize Rank = row_number()\\r\\n| project value = kql, label = name, selected = iff(name == dataset, true, false)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2f5c56e7-dee3-46e7-b699-e331079e1d47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Question\",\"type\":1,\"isGlobal\":true,\"query\":\"print(todynamic(\\\"{Exercise:escapejson}\\\").question)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e5be7ed3-5eed-4b66-9db7-a0c2c132783b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Answer\",\"type\":1,\"isGlobal\":true,\"query\":\"let answer = todynamic(\\\"{Exercise:escapejson}\\\").answer;\\r\\nprint(base64_decode_tostring(tostring(answer)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d4ecbbf3-25a0-4130-bc7d-50edead67b01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Markdown\",\"type\":1,\"query\":\"let markdown = todynamic(\\\"{Exercise:escapejson}\\\").markdown;\\r\\nprint(base64_decode_tostring(tostring(markdown)))\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c94574f-3e3d-4d73-bed8-3eeebed298d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowDoc\",\"label\":\"Show Documentation\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": false}\\r\\n]\",\"value\":\"No\"},{\"id\":\"ad9dc5ed-16a0-4157-88a2-bfe937e34e3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ShowAnswer\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"label\":\"Show Answer\"},{\"id\":\"4f9a31b5-1f75-42af-85a7-c96af37a0d0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LetDetected\",\"type\":1,\"query\":\"let result = iff(\\\"{Section}\\\" in ('Let','Union', 'Parse', 'Materialize', 'Function'), true, false);\\r\\nprint(result)\",\"isHiddenWhenLocked\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Error\",\"label\":\"Seeing Error\",\"type\":10,\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\" : false},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\": true}\\r\\n]\",\"id\":\"9edc3ceb-a3a7-42bd-8ce1-e7ad666934e4\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"100\",\"name\":\"parameters - 4 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Fixing the Error\\r\\n\\r\\nThe error you are seeing is due to workbooks in Azure requiring external data sources to be marked as trusted. As this workbook pulls all of its content from GitHub, the repository must be marked as trusted. This is on a user session level and cannot be set within the workbook template. To fix the error:\\r\\n\\r\\n1. Go into edit mode.\\r\\n2. Under the hidden parameters at the top of the page, click edit.\\r\\n3. Check the box next to json.\\r\\n4. Click on the edit pencil icon.\\r\\n5. Click 'run query'.\\r\\n6. Click 'mark as trusted'.\\r\\n7. Click save.\\r\\n8. Exit edit mode.\\r\\n\\r\\nThe error should be gone and the content will be loaded.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Error\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"The Kusto Query Language is the query language of choice within Microsoft Sentinel, Azure Log Analytics, and Azure Data Explorer. Kusto is similar to SQL in syntax and logic. The basic structure of Kusto appears as so:\\r\\n\\r\\nTable | operator clause/predicate\\r\\n\\r\\nThe table will specify which logs will be queried. The operator will dictate what type of filter, action, etc.\",\"style\":\"success\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"}],\"name\":\"Welcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Section} - Exercise: {Exercise:label}\\r\\n\\r\\n{Markdown}\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowDoc\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"NotWelcome\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"<p>\\r\\n![Question](https://shields.io/badge/-Question-informational)\\r\\n<br>{Question}\\r\\n</p>\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"<h3>Answer</h3>\\r\\n\\r\\n```\\r\\n{Answer}\\r\\n```\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"ShowAnswer\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"markdown - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Question\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"341ea875-d1ff-4cbc-a9f6-421eeb82368c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Query\",\"type\":1,\"description\":\"Enter KQL query here to answer\",\"isRequired\":true,\"isGlobal\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"kql\",\"multiLineHeight\":7},\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Dataset:label} | limit 10\"}}],\"timeContext\":{\"durationMs\":86400000},\"label\":\"Put your answer here\"}],\"style\":\"formVertical\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"QueryControl\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Results\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Answer}\",\"size\":1,\"title\":\"Expected Results\",\"noDataMessage\":\"Had trouble producing the expected answer\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":500}},\"customWidth\":\"40\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HTarget\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let {Dataset:label} = () {{Dataset}};\\r\\n{Query}\",\"size\":1,\"title\":\"Your answer\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}},{\"columnMatch\":\"code\",\"formatter\":5},{\"columnMatch\":\"message\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"90%\"}}],\"rowLimit\":500}},\"customWidth\":\"45\",\"conditionalVisibilities\":[{\"parameterName\":\"Stack\",\"comparison\":\"isNotEqualTo\",\"value\":\"Vertical\"},{\"parameterName\":\"Section\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Exercise\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"HResult\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let get_table_hash = (t:(*)) {\\r\\n    t\\r\\n    | project packed = pack_all()\\r\\n    | summarize list = make_list(packed)\\r\\n    | project hashvalue = hash(tostring(list))\\r\\n};\\r\\nlet check_tables_match = (table1:(*), table2:(*)) {\\r\\n    get_table_hash(table1)\\r\\n    | join get_table_hash(table2) on hashvalue\\r\\n    | project match = iff(hashvalue == hashvalue1, true, false)\\r\\n};\\r\\nlet {Dataset:label} = () {{Dataset}};\\r\\nlet answer = {Query};\\r\\nlet correctAnswer = {Answer};\\r\\ncheck_tables_match(answer, correctAnswer)\",\"size\":4,\"noDataMessage\":\"Answer does not seem to be correct\",\"noDataMessageStyle\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"match\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"Answer is Correct\"}]}}],\"rowLimit\":500},\"graphSettings\":{\"type\":0}},\"customWidth\":\"15\",\"conditionalVisibilities\":[{\"parameterName\":\"Query\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},{\"parameterName\":\"Answer\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"LetDetected\",\"comparison\":\"isEqualTo\"}],\"name\":\"Result\"},{\"type\":1,\"content\":{\"json\":\"This exercise includes use of a let statement which cannot be evaluated. Please manually validate if your answer matches the expected results\",\"style\":\"warning\"},\"customWidth\":\"15\",\"conditionalVisibility\":{\"parameterName\":\"LetDetected\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"Results\"},{\"type\":1,\"content\":{\"json\":\"Set the path to the Advanced KQL workbook in your environment. </br>\\r\\n\\r\\nNote: If nothing is within the drop-down, you do not have the workbook deployed in your environment. You can find the workbook within the workbook gallery.\",\"style\":\"info\"},\"conditionalVisibilities\":[{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"String\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Anomalies\"},{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Misc\"}],\"customWidth\":\"50\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"ed7e252c-2ae9-4be5-9e80-267b0274a9d9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AdvancedKQLWorkbookPath\",\"type\":2,\"query\":\"resources\\r\\n| where type == \\\"microsoft.insights/workbooks\\\"\\r\\n| where properties.displayName has 'advanced KQL for microsoft sentinel'\\r\\n| extend path = trim('[]', id)\\r\\n| project path\\r\\n| take 1\",\"crossComponentResources\":[\"value::selected\"],\"value\":\"\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"name\":\"parameters - 10\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"173f69f1-a9c0-4ebc-a497-3e7354a32236\",\"cellValue\":\"{AdvancedKQLWorkbookPath}\",\"linkTarget\":\"Resource\",\"linkLabel\":\"Advanced KQL Framework\",\"subTarget\":\"Workbook\",\"preText\":\"If you would like to study more advanced topics:\",\"style\":\"primary\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"parameter\",\"componentId\":\"AdvancedKQLPath\",\"resourceIdsSource\":\"parameter\",\"resourceIds\":\"AdvancedKQLPath\",\"templateIdSource\":\"parameter\",\"templateId\":\"AdvancedKQLPath\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\"}},{\"id\":\"690a89fe-5c1d-4313-b442-ce059670840f\",\"cellValue\":\"https://aka.ms/lademo\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"ALA Demo\",\"preText\":\"If you would like to test any of the lessons learned, you can use the ALA Demo workspace here: \",\"style\":\"primary\",\"linkIsContextBlade\":true,\"bladeOpenContext\":{\"bladeName\":\"DemoLogsBlade\",\"extensionName\":\"Microsoft_Azure_Monitoring_Logs\"}},{\"id\":\"295f7752-374b-4680-b281-c5cb8b83d384\",\"cellValue\":\"https://aka.ms/introtokqlsurvey\",\"linkTarget\":\"Url\",\"linkLabel\":\"Feedback Form\",\"preText\":\"If you would like to submit feedback for this solution, please click on the form link here: \",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isNotEqualTo\",\"value\":\"Welcome\"},\"customWidth\":\"50\",\"name\":\"links - 9\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"IntrotoKQL\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"