From c72e5a1382af07bbfce4764880b277b8cf529814 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Sun, 10 Sep 2023 13:23:32 +0530 Subject: [PATCH] Workbook changes for LastIngestionTime --- .../Workbooks/WebSessionEssentials.json | 175 +++++++++++++----- 1 file changed, 124 insertions(+), 51 deletions(-) diff --git a/Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json b/Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json index bc15f2a2b20..c4470bf804d 100644 --- a/Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json +++ b/Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json @@ -134,6 +134,79 @@ "durationMs": 604800000 } }, + { + "id": "ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a", + "version": "KqlParameterItem/1.0", + "name": "LastIngestionTimeSrcInfo", + "type": 1, + "description": "Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table", + "isRequired": true, + "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n print LastIngestionTime", + "crossComponentResources": [ + "{Workspace}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15", + "version": "KqlParameterItem/1.0", + "name": "LastIngestionTimeSrcIP", + "type": 1, + "description": "Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table", + "isRequired": true, + "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n print LastIngestionTime", + "crossComponentResources": [ + "{Workspace}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "c318ae1b-984d-4f08-a0a1-46f0a8e62252", + "version": "KqlParameterItem/1.0", + "name": "LastIngestionTimeDstIP", + "type": 1, + "description": "Get last ingestion time in WebSession_Summarized_DstIP_CL custom table", + "isRequired": true, + "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n print LastIngestionTime", + "crossComponentResources": [ + "{Workspace}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "041050ed-6db3-42ae-96cd-100abebd7492", + "version": "KqlParameterItem/1.0", + "name": "LastIngestionTimeThreatInfo", + "type": 1, + "description": "Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table", + "isRequired": true, + "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n print LastIngestionTime", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, { "id": "7c67ea90-b8cb-44e0-b7e0-24d7b55e2680", "version": "KqlParameterItem/1.0", @@ -144,7 +217,7 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr", "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -176,7 +249,7 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcUsername)\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcUsername_s)\r\n | distinct SrcUsername=SrcUsername_s\r\n )\r\n | distinct SrcUsername", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(SrcUsername)\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcUsername_s)\r\n | distinct SrcUsername=SrcUsername_s\r\n )\r\n | distinct SrcUsername", "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -205,7 +278,7 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname", "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -235,7 +308,7 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend SiteName = tostring(parse_url(Url)[\"Host\"])\r\n | distinct SiteName\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | distinct SiteName = DestDomain_s\r\n )\r\n | distinct SiteName", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(Url)\r\n | extend SiteName = tostring(parse_url(Url)[\"Host\"])\r\n | distinct SiteName\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | distinct SiteName = DestDomain_s\r\n )\r\n | distinct SiteName", "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -318,7 +391,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet uniqueConnection = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n\t\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n\t\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n )\r\n | summarize count() by SrcIpAddr, DestHostname\r\n | count\r\n | extend Metric = \"Unique Connections\", orderNum = 1;\r\nlet products = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(EventProduct)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(EventProduct_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct=EventProduct_s\r\n )\r\n | distinct EventProduct\r\n | count\r\n | extend Metric = \"Product Count\", orderNum = 2;\r\nlet UserNames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(SrcUsername)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcUsername_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n )\r\n | distinct SrcUsername\r\n | count\r\n | extend Metric = \"Unique UserNames\", orderNum = 3;\r\nlet Srchosts = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname\r\n | count\r\n | extend Metric = \"Source HostNames\", orderNum = 4;\r\nlet ClientIPs = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr\r\n | count\r\n | extend Metric = \"Unique Source IPs\", orderNum = 5;\r\nlet DestHostName = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname\r\n | count\r\n | extend Metric = \"Unique Dest Sites\", orderNum = 6;\r\nlet TotalUserAgents = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(HttpUserAgent)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(HttpUserAgent_s)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent=HttpUserAgent_s\r\n )\r\n | distinct HttpUserAgent\r\n | count\r\n | extend Metric = \"Unique UserAgents\", orderNum = 7;\r\nlet ServerErrorsCount = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where toint(EventResultDetails) between (500 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(EventResultDetails_s) between (500 .. 599)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize Count = sum(EventCount)\r\n | extend Metric = \"Total Server Errors\", orderNum = 8;\r\nlet ClientErrorsCount = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where toint(EventResultDetails) between (400 .. 499)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(EventResultDetails_s) between (400 .. 499)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize Count = sum(EventCount)\r\n | extend Metric = \"Total Client Errors\", orderNum = 9;\r\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\r\n| order by orderNum asc", + "query": "let uniqueConnection = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n\t\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n\t\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n )\r\n | summarize count() by SrcIpAddr, DestHostname\r\n | count\r\n | extend Metric = \"Unique Connections\", orderNum = 1;\r\nlet products = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(EventProduct)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(EventProduct_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct=EventProduct_s\r\n )\r\n | distinct EventProduct\r\n | count\r\n | extend Metric = \"Product Count\", orderNum = 2;\r\nlet UserNames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(SrcUsername)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcUsername_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n )\r\n | distinct SrcUsername\r\n | count\r\n | extend Metric = \"Unique UserNames\", orderNum = 3;\r\nlet Srchosts = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname\r\n | count\r\n | extend Metric = \"Source HostNames\", orderNum = 4;\r\nlet ClientIPs = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr\r\n | count\r\n | extend Metric = \"Unique Source IPs\", orderNum = 5;\r\nlet DestHostName = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname\r\n | count\r\n | extend Metric = \"Unique Dest Sites\", orderNum = 6;\r\nlet TotalUserAgents = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(HttpUserAgent)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(HttpUserAgent_s)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent=HttpUserAgent_s\r\n )\r\n | distinct HttpUserAgent\r\n | count\r\n | extend Metric = \"Unique UserAgents\", orderNum = 7;\r\nlet ServerErrorsCount = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where toint(EventResultDetails) between (500 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(EventResultDetails_s) between (500 .. 599)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize Count = sum(EventCount)\r\n | extend Metric = \"Total Server Errors\", orderNum = 8;\r\nlet ClientErrorsCount = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where toint(EventResultDetails) between (400 .. 499)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventType_s =~ 'WebServerSession'\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(EventResultDetails_s) between (400 .. 499)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize Count = sum(EventCount)\r\n | extend Metric = \"Total Client Errors\", orderNum = 9;\r\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\r\n| order by orderNum asc", "size": 4, "timeContextFromParameter": "TimeRange", "queryType": 0, @@ -355,7 +428,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(EventProduct)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend EventProduct = EventProduct_s\r\n | where isnotempty(EventProduct)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(EventProduct)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend EventProduct = EventProduct_s\r\n | where isnotempty(EventProduct)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "aggregation": 3, "showAnalytics": true, @@ -432,7 +505,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n ); \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\r\n | where toint(EventResultDetails) between (400 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | project\r\n EventResultDetails= EventResultDetails_s,\r\n EventTime = EventTime_t,\r\n EventCount = EventCount_d,\r\n SrcIpAddr=SrcIpAddr_s,\r\n DestHostname=DestDomain_s,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s\r\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\r\n | where toint(EventResultDetails) between (400 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\r\n | where toint(EventResultDetails) between (400 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | project\r\n EventResultDetails= EventResultDetails_s,\r\n EventTime = EventTime_t,\r\n EventCount = EventCount_d,\r\n SrcIpAddr=SrcIpAddr_s,\r\n DestHostname=DestDomain_s,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s\r\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\r\n | where toint(EventResultDetails) between (400 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "aggregation": 3, "showAnalytics": true, @@ -500,7 +573,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true\r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\r\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize RequestCount = sum(RequestCount) by User\r\n| order by RequestCount desc\r\n| take 10", + "query": "let WebData = \r\n union isfuzzy=true\r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\r\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize RequestCount = sum(RequestCount) by User\r\n| order by RequestCount desc\r\n| take 10", "size": 1, "showAnalytics": true, "title": "Top internal users by request count", @@ -524,7 +597,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true\r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\r\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize RequestCount = sum(RequestCount) by User\r\n| order by RequestCount desc\r\n| take 10", + "query": "let WebData = \r\n union isfuzzy=true\r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\r\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize RequestCount = sum(RequestCount) by User\r\n| order by RequestCount desc\r\n| take 10", "size": 1, "showAnalytics": true, "title": "Top external users by request count", @@ -572,7 +645,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top web hosts with most request count", @@ -654,7 +727,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top web hosts with most server errors", @@ -688,7 +761,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\r\n| where EventType =~ 'WebServerSession'\r\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'WebServerSession'\r\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\r\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by DstHostname\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n) on DstHostname\r\n| project WebServer=DstHostname, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top web hosts with most client errors", @@ -889,7 +962,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| where EventType_s =~ 'WebServerSession'\r\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\r\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataReceived = sum(DataReceived) by DstHostname\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n ) on DstHostname\r\n | project WebServer=DstHostname, DataReceived=DataReceived, Trend\r\n | order by DataReceived desc\r\n | take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\r\n | where EventType =~ 'WebServerSession'\r\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\r\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| where EventType_s =~ 'WebServerSession'\r\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\r\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\r\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataReceived = sum(DataReceived) by DstHostname\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\r\n ) on DstHostname\r\n | project WebServer=DstHostname, DataReceived=DataReceived, Trend\r\n | order by DataReceived desc\r\n | take 25", "size": 1, "title": "Top Web servers with highest download", "timeContextFromParameter": "TimeRange", @@ -955,7 +1028,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet uniqueConnection = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n\t\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n\t\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n )\r\n | summarize count() by SrcIpAddr, DestHostname\r\n | count\r\n | extend Metric = \"Unique Connections\", orderNum = 1;\r\nlet products = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(EventProduct)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(EventProduct_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct=EventProduct_s\r\n )\r\n | distinct EventProduct\r\n | count\r\n | extend Metric = \"Product Count\", orderNum = 2;\r\nlet UserNames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(SrcUsername)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcUsername_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n )\r\n | distinct SrcUsername\r\n | count\r\n | extend Metric = \"Unique UserNames\", orderNum = 3;\r\nlet Srchosts = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname\r\n | count\r\n | extend Metric = \"Source HostNames\", orderNum = 4;\r\nlet ClientIPs = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr\r\n | count\r\n | extend Metric = \"Unique Source IPs\", orderNum = 5;\r\nlet DestHostName = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname\r\n | count\r\n | extend Metric = \"Unique Dest HostNames\", orderNum = 6;\r\nlet TotalUserAgents = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(HttpUserAgent)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(HttpUserAgent_s)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent=HttpUserAgent_s\r\n )\r\n | distinct HttpUserAgent\r\n | count\r\n | extend Metric = \"Unique UserAgents\", orderNum = 7;\r\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\r\n| order by orderNum asc", + "query": "let uniqueConnection = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n\t\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n\t\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize count() by SrcIpAddr, DestHostname\r\n )\r\n | summarize count() by SrcIpAddr, DestHostname\r\n | count\r\n | extend Metric = \"Unique Connections\", orderNum = 1;\r\nlet products = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(EventProduct)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(EventProduct_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventProduct=EventProduct_s\r\n )\r\n | distinct EventProduct\r\n | count\r\n | extend Metric = \"Product Count\", orderNum = 2;\r\nlet UserNames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(SrcUsername)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcUsername_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcUsername\r\n )\r\n | distinct SrcUsername\r\n | count\r\n | extend Metric = \"Unique UserNames\", orderNum = 3;\r\nlet Srchosts = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname\r\n | count\r\n | extend Metric = \"Source HostNames\", orderNum = 4;\r\nlet ClientIPs = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr\r\n | count\r\n | extend Metric = \"Unique Source IPs\", orderNum = 5;\r\nlet DestHostName = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n ( \r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname\r\n | count\r\n | extend Metric = \"Unique Dest HostNames\", orderNum = 6;\r\nlet TotalUserAgents = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(HttpUserAgent)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotempty(HttpUserAgent_s)\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}))\r\n | distinct HttpUserAgent=HttpUserAgent_s\r\n )\r\n | distinct HttpUserAgent\r\n | count\r\n | extend Metric = \"Unique UserAgents\", orderNum = 7;\r\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\r\n| order by orderNum asc", "size": 4, "showAnalytics": true, "timeContextFromParameter": "TimeRange", @@ -1048,7 +1121,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventProduct)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventProduct = EventProduct_s\r\n | where isnotempty(EventProduct)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventProduct)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventProduct = EventProduct_s\r\n | where isnotempty(EventProduct)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "aggregation": 3, "showAnalytics": true, @@ -1125,7 +1198,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventResult)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventResult = EventResult_s\r\n | where isnotempty(EventResult)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventResult)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventResult = EventResult_s\r\n | where isnotempty(EventResult)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "aggregation": 3, "showAnalytics": true, @@ -1196,7 +1269,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | where toint(EventResultDetails) > 399 // Take events resulted in errors\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend\r\n SrcIpAddr=SrcIpAddr_s,\r\n DestHostname=DestDomain_s,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n SrcBytes = SrcBytes_d,\r\n DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | where toint(EventResultDetails) > 399 // Take events resulted in errors\r\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend\r\n SrcIpAddr=SrcIpAddr_s,\r\n DestHostname=DestDomain_s,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n SrcBytes = SrcBytes_d,\r\n DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\r\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "aggregation": 3, "showAnalytics": true, @@ -1221,7 +1294,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventType)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\r\n | where isnotempty(EventType)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotempty(EventType)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\r\n | where isnotempty(EventType)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})", "size": 1, "showAnalytics": true, "title": "Events by type", @@ -1243,7 +1316,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n ); \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotnull(SrcBytes) or isnotnull(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent), DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\r\n | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\r\n | extend DataSentinGB = toint(replace_string(DataSentinGB,\" GB\",\"\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\" GB\",\"\"))", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | where isnotnull(SrcBytes) or isnotnull(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent), DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\r\n | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\r\n | extend DataSentinGB = toint(replace_string(DataSentinGB,\" GB\",\"\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\" GB\",\"\"))", "size": 1, "aggregation": 3, "showAnalytics": true, @@ -1268,7 +1341,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n| where isnotempty(DestDomain_s)\r\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\r\n)\r\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\r\n", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where EventType =~ 'HTTPsession'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where EventType_s =~ 'HTTPsession'\r\n| where isnotempty(DestDomain_s)\r\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\r\n)\r\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\r\n", "size": 1, "aggregation": 3, "showAnalytics": true, @@ -1346,7 +1419,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend DestDomain = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DestDomain)\r\n | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcUsername=SrcUsername_s,\r\n SrcIpAddr=SrcIpAddr_s,\r\n SrcHostname=SrcHostname_s,\r\n TimeGenerated=EventTime_t,\r\n DestDomain=DestDomain_s,\r\n EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DestDomain)\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\r\nlet UserData = WebData\r\n | summarize RequestCount=sum(RequestCount) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\r\n on User\r\n | order by RequestCount desc, User asc;\r\nWebData\r\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\r\n) on User, DestDomain\r\n| order by RequestCount desc, User asc\r\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\r\n| union (UserData\r\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\r\n)\r\n| order by RequestCount desc, Name asc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | extend DestDomain = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DestDomain)\r\n | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcUsername=SrcUsername_s,\r\n SrcIpAddr=SrcIpAddr_s,\r\n SrcHostname=SrcHostname_s,\r\n TimeGenerated=EventTime_t,\r\n DestDomain=DestDomain_s,\r\n EventCount=EventCount_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DestDomain)\r\n | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\r\nlet UserData = WebData\r\n | summarize RequestCount=sum(RequestCount) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\r\n on User\r\n | order by RequestCount desc, User asc;\r\nWebData\r\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\r\n) on User, DestDomain\r\n| order by RequestCount desc, User asc\r\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\r\n| union (UserData\r\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\r\n)\r\n| order by RequestCount desc, Name asc\r\n| take 25", "size": 1, "title": "Top sites of the top users", "queryType": 0, @@ -1399,7 +1472,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize EventCount = sum(EventCount) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, EventCount, Trend\r\n | order by EventCount desc\r\n | take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize EventCount = sum(EventCount) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, EventCount, Trend\r\n | order by EventCount desc\r\n | take 25", "size": 1, "title": "Top Users with most request count", "timeContextFromParameter": "TimeRange", @@ -1458,7 +1531,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by User\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n) on User\r\n| project User, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by User\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n) on User\r\n| project User, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top Users with most client errors", "timeContextFromParameter": "TimeRange", @@ -1504,7 +1577,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by User\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n) on User\r\n| project User, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n| extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by User\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n) on User\r\n| project User, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top Users with most server errors", @@ -1553,7 +1626,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by EventResultDetails\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\r\n) on EventResultDetails\r\n| project EventResultDetails, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by EventResultDetails\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\r\n) on EventResultDetails\r\n| project EventResultDetails, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top client error types", "timeContextFromParameter": "TimeRange", @@ -1599,7 +1672,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by EventResultDetails\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\r\n) on EventResultDetails\r\n| project EventResultDetails, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\r\n| extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by EventResultDetails\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\r\n) on EventResultDetails\r\n| project EventResultDetails, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top server error types", "timeContextFromParameter": "TimeRange", @@ -1645,7 +1718,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet Webdata = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Success')\r\n | extend Website = case(\r\n isnotempty(DstDomain),DstDomain\r\n , isnotempty(Url),tostring(parse_url(Url)[\"Host\"])\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\"\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\r\n | extend Website = case(\r\n isnotempty(DestHostname),DestHostname\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\" and EventResult_s =~ 'Success'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebdata\r\n| summarize EventCount = sum(EventCount) by Website\r\n| join kind = inner (\r\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n) \r\non Website\r\n| project Website, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let Webdata = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\r\n | extend Website = case(\r\n isnotempty(DstDomain),DstDomain\r\n , isnotempty(Url),tostring(parse_url(Url)[\"Host\"])\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\"\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\r\n | extend Website = case(\r\n isnotempty(DestHostname),DestHostname\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\" and EventResult_s =~ 'Success'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebdata\r\n| summarize EventCount = sum(EventCount) by Website\r\n| join kind = inner (\r\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n) \r\non Website\r\n| project Website, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top websites by successful requests count", "timeContextFromParameter": "TimeRange", @@ -1691,7 +1764,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet Webdata = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Failure')\r\n | extend Website = case(\r\n isnotempty(DstDomain),DstDomain\r\n , isnotempty(Url),tostring(parse_url(Url)[\"Host\"])\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\"\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\r\n | extend Website = case(\r\n isnotempty(DestHostname),DestHostname\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\" and EventResult_s =~ 'Failure'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebdata\r\n| summarize EventCount = sum(EventCount) by Website\r\n| join kind = inner (\r\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n) \r\non Website\r\n| project Website, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let Webdata = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\r\n | extend Website = case(\r\n isnotempty(DstDomain),DstDomain\r\n , isnotempty(Url),tostring(parse_url(Url)[\"Host\"])\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\"\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\r\n | extend Website = case(\r\n isnotempty(DestHostname),DestHostname\r\n ,\"NA\"\r\n )\r\n | where Website != \"NA\" and EventResult_s =~ 'Failure'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebdata\r\n| summarize EventCount = sum(EventCount) by Website\r\n| join kind = inner (\r\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n) \r\non Website\r\n| project Website, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top websites by failed requests count", "timeContextFromParameter": "TimeRange", @@ -1737,7 +1810,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(SrcBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(SrcBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataSent = sum(DataSent) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, DataSentinMB=DataSent/1048576, Trend\r\n | order by DataSentinMB desc\r\n | take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(SrcBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(SrcBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataSent = sum(DataSent) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, DataSentinMB=DataSent/1048576, Trend\r\n | order by DataSentinMB desc\r\n | take 25", "size": 1, "title": "Users with highest upload (MB)", "timeContextFromParameter": "TimeRange", @@ -1783,7 +1856,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataReceived = sum(DataReceived) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, DataReceivedinMB=DataReceived/1048576, Trend\r\n | order by DataReceivedinMB desc\r\n | take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DstBytes)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\r\n | extend User = coalesce(SrcUsername, SrcIpAddr)\r\n | where isnotempty(User) and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\r\n WebData\r\n | summarize DataReceived = sum(DataReceived) by User\r\n | join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\r\n ) on User\r\n | project User, DataReceivedinMB=DataReceived/1048576, Trend\r\n | order by DataReceivedinMB desc\r\n | take 25", "size": 1, "title": "Users with highest download (MB)", "timeContextFromParameter": "TimeRange", @@ -1821,7 +1894,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend Website = case(\r\n isnotempty(DstDomain),\r\n DstDomain\r\n ,\r\n isnotempty(Url),\r\n tostring(parse_url(Url)[\"Host\"])\r\n ,\r\n \"NA\"\r\n )\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | where Website != \"NA\" and isnotempty(SrcBytes)\r\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcIpAddr=SrcIpAddr_s,\r\n EventResultDetails=EventResultDetails_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n DestHostname=DestDomain_s,\r\n SrcBytes= SrcBytes_d\r\n | extend Website = case(\r\n isnotempty(DestHostname),\r\n DestHostname\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotnull(SrcBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize DataSent = sum(DataSent) by Website\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n )\r\n on Website\r\n| project Website, DataSentinMB=DataSent / 1048576, Trend\r\n| order by DataSentinMB desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | extend Website = case(\r\n isnotempty(DstDomain),\r\n DstDomain\r\n ,\r\n isnotempty(Url),\r\n tostring(parse_url(Url)[\"Host\"])\r\n ,\r\n \"NA\"\r\n )\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | where Website != \"NA\" and isnotempty(SrcBytes)\r\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcIpAddr=SrcIpAddr_s,\r\n EventResultDetails=EventResultDetails_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n DestHostname=DestDomain_s,\r\n SrcBytes= SrcBytes_d\r\n | extend Website = case(\r\n isnotempty(DestHostname),\r\n DestHostname\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotnull(SrcBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize DataSent = sum(DataSent) by Website\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n )\r\n on Website\r\n| project Website, DataSentinMB=DataSent / 1048576, Trend\r\n| order by DataSentinMB desc\r\n| take 25", "size": 1, "title": "Websites with highest upload (MB)", "timeContextFromParameter": "TimeRange", @@ -1860,7 +1933,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\r\n | extend Website = case(\r\n isnotempty(DstDomain),\r\n DstDomain\r\n ,\r\n isnotempty(Url),\r\n tostring(parse_url(Url)[\"Host\"])\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcIpAddr=SrcIpAddr_s,\r\n EventResultDetails=EventResultDetails_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n DestHostname=DestDomain_s,\r\n DstBytes= DstBytes_d\r\n | extend Website = case(\r\n isnotempty(DestHostname),\r\n DestHostname\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize DataReceived = sum(DataReceived) by Website\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n )\r\n on Website\r\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\r\n| order by DataReceivedinMB desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\r\n | extend Website = case(\r\n isnotempty(DstDomain),\r\n DstDomain\r\n ,\r\n isnotempty(Url),\r\n tostring(parse_url(Url)[\"Host\"])\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n SrcIpAddr=SrcIpAddr_s,\r\n EventResultDetails=EventResultDetails_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n SrcUsername=SrcUsername_s,\r\n SrcHostname=SrcHostname_s,\r\n DestHostname=DestDomain_s,\r\n DstBytes= DstBytes_d\r\n | extend Website = case(\r\n isnotempty(DestHostname),\r\n DestHostname\r\n ,\r\n \"NA\"\r\n )\r\n | where Website != \"NA\" and isnotempty(DstBytes)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\r\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize DataReceived = sum(DataReceived) by Website\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\r\n )\r\n on Website\r\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\r\n| order by DataReceivedinMB desc\r\n| take 25", "size": 1, "title": "Websites with highest download(MB)", "timeContextFromParameter": "TimeRange", @@ -1899,7 +1972,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Success')\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\"\r\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\" and EventResult =~ 'Success'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\r\n) on HttpRequestMethod\r\n| project HttpRequestMethod, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\"\r\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\" and EventResult =~ 'Success'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\r\n) on HttpRequestMethod\r\n| project HttpRequestMethod, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top HTTP request methods by successful requests count", "timeContextFromParameter": "TimeRange", @@ -1938,7 +2011,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Failure')\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\"\r\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\" and EventResult =~ 'Failure'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\r\n) on HttpRequestMethod\r\n| project HttpRequestMethod, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\"\r\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \"NA\" and EventResult =~ 'Failure'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\r\n) on HttpRequestMethod\r\n| project HttpRequestMethod, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top HTTP request methods by failed requests count", "timeContextFromParameter": "TimeRange", @@ -1977,7 +2050,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Success')\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\"\r\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\" and EventResult =~ 'Success'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpContentType\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\r\n) on HttpContentType\r\n| project HttpContentType, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\"\r\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\" and EventResult =~ 'Success'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpContentType\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\r\n) on HttpContentType\r\n| project HttpContentType, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top HTTP content types by successful requests count", @@ -2019,7 +2092,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n| extend max_TimeGenerated = print_0\r\n| project max_TimeGenerated\r\n)\r\n| summarize maxTimeGenerated = max(max_TimeGenerated) \r\n);\r\nlet WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Failure')\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\"\r\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\" and EventResult =~ 'Failure'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpContentType\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\r\n) on HttpContentType\r\n| project HttpContentType, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\nunion isfuzzy=true \r\n(\r\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\"\r\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\r\n),\r\n(\r\nWebSession_Summarized_SrcInfo_CL\r\n| where EventTime_t >= {TimeRange:start}\r\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\r\n| where isnotempty(HttpContentType) and HttpContentType != \"None\" and EventResult =~ 'Failure'\r\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n)\r\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpContentType\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\r\n) on HttpContentType\r\n| project HttpContentType, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top HTTP content types by failed requests count", @@ -2145,7 +2218,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult=\"Failure\")\r\n | project UrlCategory, TimeGenerated\r\n | where isnotempty(UrlCategory)\r\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\r\n | where isnotempty(UrlCategory) and EventResult =~ \"Failure\"\r\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by UrlCategory\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\r\n) on UrlCategory\r\n| project UrlCategory, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\"Failure\")\r\n | project UrlCategory, TimeGenerated\r\n | where isnotempty(UrlCategory)\r\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\r\n | where isnotempty(UrlCategory) and EventResult =~ \"Failure\"\r\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by UrlCategory\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\r\n) on UrlCategory\r\n| project UrlCategory, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top URL Categories by failed requests count", "timeContextFromParameter": "TimeRange", @@ -2183,7 +2256,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult=\"Success\")\r\n | project UrlCategory, TimeGenerated\r\n | where isnotempty(UrlCategory)\r\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\r\n | where isnotempty(UrlCategory) and EventResult =~ \"Success\"\r\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by UrlCategory\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\r\n) on UrlCategory\r\n| project UrlCategory, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\"Success\")\r\n | project UrlCategory, TimeGenerated\r\n | where isnotempty(UrlCategory)\r\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\r\n | where isnotempty(UrlCategory) and EventResult =~ \"Success\"\r\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by UrlCategory\r\n| join kind=inner (WebData\r\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\r\n) on UrlCategory\r\n| project UrlCategory, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top URL Categories by successful requests count", "timeContextFromParameter": "TimeRange", @@ -2221,7 +2294,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Success')\r\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\r\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n HttpUserAgent=HttpUserAgent_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n EventResult=EventResult_s\r\n | where isnotempty(HttpUserAgent)\r\n and HttpUserAgent != 'Unknown'\r\n and EventResult =~ 'Success'\r\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpUserAgent\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\r\n )\r\n on HttpUserAgent\r\n| project HttpUserAgent, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\r\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\r\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n HttpUserAgent=HttpUserAgent_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n EventResult=EventResult_s\r\n | where isnotempty(HttpUserAgent)\r\n and HttpUserAgent != 'Unknown'\r\n and EventResult =~ 'Success'\r\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpUserAgent\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\r\n )\r\n on HttpUserAgent\r\n| project HttpUserAgent, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "title": "Top HTTP User Agents by successful request count", "timeContextFromParameter": "TimeRange", @@ -2259,7 +2332,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, LastIngestionTime)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now(), eventresult='Failure')\r\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\r\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n HttpUserAgent=HttpUserAgent_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n EventResult=EventResult_s\r\n | where isnotempty(HttpUserAgent)\r\n and HttpUserAgent != 'Unknown'\r\n and EventResult =~ 'Failure'\r\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpUserAgent\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\r\n )\r\n on HttpUserAgent\r\n| project HttpUserAgent, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", + "query": "let WebData = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\r\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\r\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_SrcInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project\r\n HttpUserAgent=HttpUserAgent_s,\r\n EventCount=EventCount_d,\r\n EventTime=EventTime_t,\r\n EventResult=EventResult_s\r\n | where isnotempty(HttpUserAgent)\r\n and HttpUserAgent != 'Unknown'\r\n and EventResult =~ 'Failure'\r\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\r\n )\r\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\r\nWebData\r\n| summarize EventCount = sum(EventCount) by HttpUserAgent\r\n| join kind=inner (WebData\r\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\r\n )\r\n on HttpUserAgent\r\n| project HttpUserAgent, EventCount, Trend\r\n| order by EventCount desc\r\n| take 25", "size": 1, "showAnalytics": true, "title": "Top HTTP User Agents by failed request count", @@ -2315,7 +2388,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let exludeString = dynamic ( [ \"/\", \"None\",\"\" ]);\r\nlet LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet distinctThreats = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\r\n | extend ThreatName = ThreatName_s\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n )\r\n | summarize Result=tostring(dcount(ThreatName))\r\n | extend Query = \"Distinct ThreatNames\", orderNum = 1;\r\nlet distinctThreatCategory = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatCategory = ThreatCategory_s\r\n )\r\n | summarize Result=tostring(dcount(ThreatCategory))\r\n | extend Query = \"Distinct Threat Categories\", orderNum = 2;\r\nlet maxRiskLevel = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where ThreatRiskLevel > 60\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where ThreatRiskLevel_d > 60\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\r\n )\r\n | summarize Max_RiskLevel=max(ThreatRiskLevel)\r\n | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\r\n | extend Query = \"Maximum RiskLevel\", orderNum = 3;\r\nlet maxThreatConfidence = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\r\n | where ThreatOriginalConfidence > 0\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(ThreatOriginalConfidence_d) > 0\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\r\n )\r\n | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\r\n | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\r\n | extend Query = \"Maximum ThreatConfidence\", orderNum = 4;\r\nlet MaxEventSeverity = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventSeverity\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(EventSeverity_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventSeverity=EventSeverity_s\r\n )\r\n | distinct EventSeverity\r\n | summarize EventSeverity=make_set(EventSeverity, 5)\r\n | extend Result=case(\r\n EventSeverity has 'High',\r\n 'High',\r\n EventSeverity has 'Medium',\r\n 'Medium',\r\n EventSeverity has 'Low',\r\n 'Low',\r\n EventSeverity has 'Informational',\r\n 'Informational',\r\n EventSeverity\r\n )\r\n | extend Query = \"Max Event Severity\", orderNum = 5;\r\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\r\n| order by orderNum asc", + "query": "let exludeString = dynamic ( [ \"/\", \"None\",\"\" ]);\r\nlet distinctThreats = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\r\n | extend ThreatName = ThreatName_s\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n )\r\n | summarize Result=tostring(dcount(ThreatName))\r\n | extend Query = \"Distinct ThreatNames\", orderNum = 1;\r\nlet distinctThreatCategory = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatCategory = ThreatCategory_s\r\n )\r\n | summarize Result=tostring(dcount(ThreatCategory))\r\n | extend Query = \"Distinct Threat Categories\", orderNum = 2;\r\nlet maxRiskLevel = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where ThreatRiskLevel > 60\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where ThreatRiskLevel_d > 60\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\r\n )\r\n | summarize Max_RiskLevel=max(ThreatRiskLevel)\r\n | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\r\n | extend Query = \"Maximum RiskLevel\", orderNum = 3;\r\nlet maxThreatConfidence = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\r\n | where ThreatOriginalConfidence > 0\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where toint(ThreatOriginalConfidence_d) > 0\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\r\n )\r\n | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\r\n | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\r\n | extend Query = \"Maximum ThreatConfidence\", orderNum = 4;\r\nlet MaxEventSeverity = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventSeverity\r\n ),\r\n ( \r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(EventSeverity_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct EventSeverity=EventSeverity_s\r\n )\r\n | distinct EventSeverity\r\n | summarize EventSeverity=make_set(EventSeverity, 5)\r\n | extend Result=case(\r\n EventSeverity has 'High',\r\n 'High',\r\n EventSeverity has 'Medium',\r\n 'Medium',\r\n EventSeverity has 'Low',\r\n 'Low',\r\n EventSeverity has 'Informational',\r\n 'Informational',\r\n EventSeverity\r\n )\r\n | extend Query = \"Max Event Severity\", orderNum = 5;\r\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\r\n| order by orderNum asc", "size": 4, "timeContextFromParameter": "TimeRange", "queryType": 0, @@ -2386,7 +2459,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = bin(LastIngestionTime, 1h)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where (ThreatName != 'None' and isnotempty(ThreatName))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where (ThreatName != 'None' and isnotempty(ThreatName))\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n| order by EventCount", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where (ThreatName != 'None' and isnotempty(ThreatName))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where (ThreatName != 'None' and isnotempty(ThreatName))\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\r\n )\r\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n| order by EventCount", "size": 1, "aggregation": 3, "title": "Events by threat name", @@ -2408,7 +2481,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let exludeString = dynamic ( [ \"/\", \"None\",\"\" ]);\r\nlet LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize LastIngestionTime=max(TimeGenerated)\r\n | extend max_TimeGenerated = bin(LastIngestionTime, 1h)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(ago(2d)), endtime=now())\r\n | where ThreatCategory !in~ (exludeString)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ThreatCategory !in~ (exludeString)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", + "query": "let exludeString = dynamic ( [ \"/\", \"None\",\"\" ]);\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where ThreatCategory !in~ (exludeString)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ThreatCategory !in~ (exludeString)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", "size": 1, "aggregation": 3, "title": "Events by threat category", @@ -2430,7 +2503,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n\t | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n\t | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", "size": 1, "aggregation": 3, "title": "Events by Severity over time", @@ -2452,7 +2525,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where ThreatRiskLevel > 60\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ThreatRiskLevel > 60\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | where ThreatRiskLevel > 60\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ThreatRiskLevel > 60\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", "size": 1, "aggregation": 3, "title": "Events by Risk Level over time", @@ -2474,7 +2547,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\r\n | where ThreatOriginalConfidence > 0\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where ThreatOriginalConfidence_d > 0\r\n | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", + "query": "union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\r\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\r\n | where ThreatOriginalConfidence > 0\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n ),\r\n (\r\n WebSession_Summarized_ThreatInfo_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where ThreatOriginalConfidence_d > 0\r\n | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\r\n )\r\n | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult", "size": 1, "title": "Events by Confidence over time", "timeContextFromParameter": "TimeRange", @@ -2495,7 +2568,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllPublicIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where not(ipv4_is_private(SrcIpAddr))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = SrcIpAddr\r\n | where PublicIPAddress != ''\r\n\t\t| project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where not(ipv4_is_private(SrcIpAddr))\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = SrcIpAddr\r\n | where PublicIPAddress != ''\r\n | project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where not(ipv4_is_private(DstIpAddr))\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = DstIpAddr\r\n | where PublicIPAddress != ''\r\n | project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n )\r\n | distinct PublicIPAddress;\r\n ThreatIntelligenceIndicator\r\n | where NetworkIP in~ (AllPublicIPs)", + "query": "let AllPublicIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where not(ipv4_is_private(SrcIpAddr))\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = SrcIpAddr\r\n | where PublicIPAddress != ''\r\n\t\t| project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where not(ipv4_is_private(SrcIpAddr))\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = SrcIpAddr\r\n | where PublicIPAddress != ''\r\n | project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where not(ipv4_is_private(DstIpAddr))\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | extend PublicIPAddress = DstIpAddr\r\n | where PublicIPAddress != ''\r\n | project PublicIPAddress\r\n\t\t| distinct PublicIPAddress\r\n )\r\n | distinct PublicIPAddress;\r\n ThreatIntelligenceIndicator\r\n | where NetworkIP in~ (AllPublicIPs)", "size": 1, "title": "Source or Destination IPs matching with Threat Intelligence indicators", "timeContextFromParameter": "TimeRange", @@ -2516,7 +2589,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(DestHostname)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\n ThreatIntelligenceIndicator\r\n | where Url has_any(AllDstWebsites)", + "query": "let AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where isnotempty(DestHostname)\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\n ThreatIntelligenceIndicator\r\n | where Url has_any(AllDstWebsites)", "size": 1, "title": "Requested URL matching with Threat Intelligence Indicators", "timeContextFromParameter": "TimeRange", @@ -2537,7 +2610,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend IPEntity = tostring(Parsed_Entities.Address)\r\n | project-away Parsed_Entities\r\n | where IPEntity in~ (AllIPs)\r\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques", + "query": "let AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend IPEntity = tostring(Parsed_Entities.Address)\r\n | project-away Parsed_Entities\r\n | where IPEntity in~ (AllIPs)\r\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques", "size": 1, "title": "Source or Destination IPs matching with Entities in Security Alert table", "timeContextFromParameter": "TimeRange", @@ -2555,7 +2628,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where UrlEntity has_any (AllDstWebsites)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques", + "query": "let AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where UrlEntity has_any (AllDstWebsites)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques", "size": 1, "title": "Request URLs matching with Entities in Security Alert table", "timeContextFromParameter": "TimeRange", @@ -2575,7 +2648,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend HostEntity = tostring(Parsed_Entities.HostName)\r\n | project-away Parsed_Entities\r\n| where HostEntity in~ (AllSrcHostnames)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques", + "query": "let AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend HostEntity = tostring(Parsed_Entities.HostName)\r\n | project-away Parsed_Entities\r\n| where HostEntity in~ (AllSrcHostnames)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques", "size": 1, "title": "Source HostNames matching with Entities in Security Alert table", "timeContextFromParameter": "TimeRange",