diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml
new file mode 100644
index 00000000000..69314502cda
--- /dev/null
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml	
@@ -0,0 +1,37 @@
+id: b3c4b8f4-c12c-471e-9999-023c05852276
+name: Illumio VEN Clone Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When A Cloned Ven Is Detected'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.clone_detected'
+  | extend hostname = created_by.agent.hostname,
+          ven_href = created_by.ven.href
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Clone Detection Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Clone Detection for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
new file mode 100644
index 00000000000..8f18e9e10cb
--- /dev/null
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml	
@@ -0,0 +1,46 @@
+id: c18bd8c2-50f0-4aa2-8122-d449243627d7
+name: Illumio VEN Deactivated Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.deactivate'
+  | mv-expand resource_changes
+  | extend hostname = resource_changes['resource']['workload']['hostname'],
+      workload_href = resource_changes['resource']['workload']['href'],
+      workload_labels = resource_changes['resource']['workload']['labels']
+  | extend ipaddress = action.src_ip,       
+        ven_href = created_by.ven.href
+  | project-away resource_changes, action, version 
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress            
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Deactivated Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Deactivated Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml
index fdbccf4e353..9b0bf4427c0 100644
--- a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml	
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml	
@@ -18,19 +18,20 @@ relevantTechniques:
 - T1562
 query: |
   let enf_state = dynamic(["full", "selective"]);
-  let visibility_state = dynamic(["visibility", "idle"]);
+  let visibility_state = dynamic(["visibility_only", "idle"]);
   Illumio_Auditable_Events_CL
   | extend temp_resource_changes = parse_json(resource_changes)[0]
   | where event_type == 'workloads.update' 
   | extend old_mode = temp_resource_changes.changes.enforcement_mode.before,
           new_mode = temp_resource_changes.changes.enforcement_mode.after,
           workload_href = temp_resource_changes.resource.workload.href,
-          workload_name = temp_resource_changes.resource.workload.hostname
+          workload_name = temp_resource_changes.resource.workload.hostname,
+          ipaddress = action.src_ip
   | where new_mode in (visibility_state) and old_mode in (enf_state)
   | project-away temp_*
-  | project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by
+  | project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by, ipaddress
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
@@ -39,11 +40,15 @@ entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: created_by          
+        columnName: created_by
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress                  
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio Enforcement Change Incident: {{IncidentId}}
+    Illumio Enforcement Change Incident for {{workload_name}}
   alertDescriptionFormat: | 
-    Illumio Enforcement Change Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio Enforcement Change Incident for {{workload_name}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml
similarity index 62%
rename from Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml
rename to Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml
index 1689d47d8aa..8ca1a9a8e73 100644
--- a/Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml	
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml	
@@ -17,23 +17,27 @@ tactics:
 relevantTechniques:
 - T1562
 query: |
-  Illumio_Auditable_Events_CL
+ Illumio_Auditable_Events_CL
   | where event_type has 'tampering'
+  | extend ipaddress = action.src_ip,
+            hostname = created_by.agent.hostname,
+            ven_href = created_by.ven.href
+  | project-away resource_changes, action, version
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: created_by
+        columnName: hostname
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: action          
+        columnName: ipaddress          
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio Firewall Tamper Incident: {{IncidentId}}
+    Illumio Firewall Tamper Incident for {{hostname}}
   alertDescriptionFormat: | 
-    Illumio Firewall Tamper Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
index a8bc88e4f41..e7f7976415f 100644
--- a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml	
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml	
@@ -17,19 +17,24 @@ tactics:
 relevantTechniques:
 - T1562
 query: |
-  Illumio_Auditable_Events_CL
-  | where event_type has 'agent_offline_check'
+    Illumio_Auditable_Events_CL
+    | where event_type has 'agent_offline_check'
+    | mv-expand resource_changes
+    | extend hostname = resource_changes['resource']['workload']['hostname'],
+        workload_href = resource_changes['resource']['workload']['href'],
+        workload_labels = resource_changes['resource']['workload']['labels']
+    | project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: resource_changes
+        columnName: hostname     
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio VEN Offline Incident: {{IncidentId}}
+    Illumio VEN Offline Incident for {{hostname}}
   alertDescriptionFormat: | 
-    Illumio VEN Offline Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio VEN Offline Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml
new file mode 100644
index 00000000000..916dbe90e3e
--- /dev/null
+++ b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml	
@@ -0,0 +1,42 @@
+id: 7379f752-18a2-43ca-8b74-70747dd792f8
+name: Illumio VEN Suspend Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When Ven Goes Into Suspended state'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.suspend'
+  | extend ipaddress = action.src_ip,
+        hostname = created_by.agent.hostname
+  | project-away resource_changes, action, version        
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress        
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Suspended Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Package/3.2.0.zip b/Solutions/IllumioSaaS/Package/3.2.0.zip
index beb8586926d..2ea39e72118 100644
Binary files a/Solutions/IllumioSaaS/Package/3.2.0.zip and b/Solutions/IllumioSaaS/Package/3.2.0.zip differ
diff --git a/Solutions/IllumioSaaS/Package/createUiDefinition.json b/Solutions/IllumioSaaS/Package/createUiDefinition.json
index cb18df34c5f..26b06ba08b5 100644
--- a/Solutions/IllumioSaaS/Package/createUiDefinition.json
+++ b/Solutions/IllumioSaaS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -212,6 +212,48 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic4",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Clone Detection Rule",
+            "elements": [
+              {
+                "name": "analytic4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When A Cloned Ven Is Detected"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic5",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Deactivated Detection Rule",
+            "elements": [
+              {
+                "name": "analytic5-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic6",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Suspend Detection Rule",
+            "elements": [
+              {
+                "name": "analytic6-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When Ven Goes Into Suspended state"
+                }
+              }
+            ]
           }
         ]
       }
diff --git a/Solutions/IllumioSaaS/Package/mainTemplate.json b/Solutions/IllumioSaaS/Package/mainTemplate.json
index 71e6d301129..cbd3e49fabd 100644
--- a/Solutions/IllumioSaaS/Package/mainTemplate.json
+++ b/Solutions/IllumioSaaS/Package/mainTemplate.json
@@ -87,25 +87,46 @@
     "_workbookContentId3": "[variables('workbookContentId3')]",
     "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.5",
+      "analyticRuleVersion1": "1.0.6",
       "_analyticRulecontentId1": "e9e4e466-3970-4165-bc8d-7721c6ef34a6",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e9e4e466-3970-4165-bc8d-7721c6ef34a6')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e9e4e466-3970-4165-bc8d-7721c6ef34a6')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e9e4e466-3970-4165-bc8d-7721c6ef34a6','-', '1.0.5')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e9e4e466-3970-4165-bc8d-7721c6ef34a6','-', '1.0.6')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.5",
+      "analyticRuleVersion2": "1.0.6",
       "_analyticRulecontentId2": "599fdc92-eb6d-4b54-8d79-2a3f740a846a",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '599fdc92-eb6d-4b54-8d79-2a3f740a846a')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('599fdc92-eb6d-4b54-8d79-2a3f740a846a')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','599fdc92-eb6d-4b54-8d79-2a3f740a846a','-', '1.0.5')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','599fdc92-eb6d-4b54-8d79-2a3f740a846a','-', '1.0.6')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.5",
+      "analyticRuleVersion3": "1.0.6",
       "_analyticRulecontentId3": "ec07fcd3-724f-426d-9f53-041801ca5f6c",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ec07fcd3-724f-426d-9f53-041801ca5f6c')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ec07fcd3-724f-426d-9f53-041801ca5f6c')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ec07fcd3-724f-426d-9f53-041801ca5f6c','-', '1.0.5')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ec07fcd3-724f-426d-9f53-041801ca5f6c','-', '1.0.6')))]"
+    },
+    "analyticRuleObject4": {
+      "analyticRuleVersion4": "1.0.5",
+      "_analyticRulecontentId4": "b3c4b8f4-c12c-471e-9999-023c05852276",
+      "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b3c4b8f4-c12c-471e-9999-023c05852276')]",
+      "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b3c4b8f4-c12c-471e-9999-023c05852276')))]",
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b3c4b8f4-c12c-471e-9999-023c05852276','-', '1.0.5')))]"
+    },
+    "analyticRuleObject5": {
+      "analyticRuleVersion5": "1.0.5",
+      "_analyticRulecontentId5": "c18bd8c2-50f0-4aa2-8122-d449243627d7",
+      "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c18bd8c2-50f0-4aa2-8122-d449243627d7')]",
+      "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c18bd8c2-50f0-4aa2-8122-d449243627d7')))]",
+      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c18bd8c2-50f0-4aa2-8122-d449243627d7','-', '1.0.5')))]"
+    },
+    "analyticRuleObject6": {
+      "analyticRuleVersion6": "1.0.5",
+      "_analyticRulecontentId6": "7379f752-18a2-43ca-8b74-70747dd792f8",
+      "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7379f752-18a2-43ca-8b74-70747dd792f8')]",
+      "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7379f752-18a2-43ca-8b74-70747dd792f8')))]",
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7379f752-18a2-43ca-8b74-70747dd792f8','-', '1.0.5')))]"
     },
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
@@ -483,7 +504,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'tampering'\\n| summarize count()\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nIllumio_Auditable_Events_CL\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'tampering'\\n| summarize count()\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nIllumio_Auditable_Events_CL\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -570,7 +591,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nIllumio_Flow_Events_CL\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nIllumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nIllumio_Flow_Events_CL\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nIllumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -657,7 +678,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -726,7 +747,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0",
+        "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -743,7 +764,7 @@
                 "description": "Create Microsoft Sentinel Incident When Firewall Is Tampered With",
                 "displayName": "Illumio Firewall Tampering Analytic Rule",
                 "enabled": false,
-                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'tampering'\n",
+                "query": "Illumio_Auditable_Events_CL\n | where event_type has 'tampering'\n | extend ipaddress = action.src_ip,\n           hostname = created_by.agent.hostname,\n           ven_href = created_by.ven.href\n | project-away resource_changes, action, version\n",
                 "queryFrequency": "PT60M",
                 "queryPeriod": "PT60M",
                 "severity": "Medium",
@@ -768,30 +789,30 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "created_by",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "action",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
-                  "aggregationKind": "AlertPerResult"
+                  "aggregationKind": "SingleAlert"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Illumio Firewall Tamper Incident: {{IncidentId}}\n",
-                  "alertDescriptionFormat": "Illumio Firewall Tamper Incident {{IncidentId}} generated at {{TimeGenerated}}\n"
+                  "alertDescriptionFormat": "Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio Firewall Tamper Incident for {{hostname}}\n"
                 }
               }
             },
@@ -862,7 +883,7 @@
                 "description": "Create Microsoft Sentinel Incident When Ven Changes Enforcement State from Full/Selective To Idle/Visibility state",
                 "displayName": "Illumio Enforcement Change Analytic Rule",
                 "enabled": false,
-                "query": "let enf_state = dynamic([\"full\", \"selective\"]);\nlet visibility_state = dynamic([\"visibility\", \"idle\"]);\nIllumio_Auditable_Events_CL\n| extend temp_resource_changes = parse_json(resource_changes)[0]\n| where event_type == 'workloads.update' \n| extend old_mode = temp_resource_changes.changes.enforcement_mode.before,\n        new_mode = temp_resource_changes.changes.enforcement_mode.after,\n        workload_href = temp_resource_changes.resource.workload.href,\n        workload_name = temp_resource_changes.resource.workload.hostname\n| where new_mode in (visibility_state) and old_mode in (enf_state)\n| project-away temp_*\n| project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by\n",
+                "query": "let enf_state = dynamic([\"full\", \"selective\"]);\nlet visibility_state = dynamic([\"visibility_only\", \"idle\"]);\nIllumio_Auditable_Events_CL\n| extend temp_resource_changes = parse_json(resource_changes)[0]\n| where event_type == 'workloads.update' \n| extend old_mode = temp_resource_changes.changes.enforcement_mode.before,\n        new_mode = temp_resource_changes.changes.enforcement_mode.after,\n        workload_href = temp_resource_changes.resource.workload.href,\n        workload_name = temp_resource_changes.resource.workload.hostname,\n        ipaddress = action.src_ip\n| where new_mode in (visibility_state) and old_mode in (enf_state)\n| project-away temp_*\n| project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by, ipaddress\n",
                 "queryFrequency": "PT60M",
                 "queryPeriod": "PT60M",
                 "severity": "Medium",
@@ -887,30 +908,39 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "workload_name",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "workload_name"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "created_by",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "created_by"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
+                  },
+                  {
+                    "entityType": "IP",
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
+                      }
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
-                  "aggregationKind": "AlertPerResult"
+                  "aggregationKind": "SingleAlert"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Illumio Enforcement Change Incident: {{IncidentId}}\n",
-                  "alertDescriptionFormat": "Illumio Enforcement Change Incident {{IncidentId}} generated at {{TimeGenerated}}\n"
+                  "alertDescriptionFormat": "Illumio Enforcement Change Incident for {{workload_name}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio Enforcement Change Incident for {{workload_name}}\n"
                 }
               }
             },
@@ -981,7 +1011,7 @@
                 "description": "Create Microsoft Sentinel Incident When Ven Goes Into Offline state",
                 "displayName": "Illumio VEN Offline Detection Rule",
                 "enabled": false,
-                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent_offline_check'\n",
+                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent_offline_check'\n| mv-expand resource_changes\n| extend hostname = resource_changes['resource']['workload']['hostname'],\n    workload_href = resource_changes['resource']['workload']['href'],\n    workload_labels = resource_changes['resource']['workload']['labels']\n| project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity\n",
                 "queryFrequency": "PT60M",
                 "queryPeriod": "PT60M",
                 "severity": "High",
@@ -1006,21 +1036,21 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "resource_changes",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
-                  "aggregationKind": "AlertPerResult"
+                  "aggregationKind": "SingleAlert"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Illumio VEN Offline Incident: {{IncidentId}}\n",
-                  "alertDescriptionFormat": "Illumio VEN Offline Incident {{IncidentId}} generated at {{TimeGenerated}}\n"
+                  "alertDescriptionFormat": "Illumio VEN Offline Incident for {{hostname}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio VEN Offline Incident for {{hostname}}\n"
                 }
               }
             },
@@ -1065,6 +1095,354 @@
         "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Create Microsoft Sentinel Incident When A Cloned Ven Is Detected",
+                "displayName": "Illumio VEN Clone Detection Rule",
+                "enabled": false,
+                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent.clone_detected'\n| extend hostname = created_by.agent.hostname,\n        ven_href = created_by.ven.href\n",
+                "queryFrequency": "PT60M",
+                "queryPeriod": "PT60M",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "Illumio_Auditable_Events_CL"
+                    ],
+                    "connectorId": "IllumioSaaSDataConnector"
+                  }
+                ],
+                "tactics": [
+                  "DefenseEvasion"
+                ],
+                "techniques": [
+                  "T1562"
+                ],
+                "entityMappings": [
+                  {
+                    "entityType": "Host",
+                    "fieldMappings": [
+                      {
+                        "identifier": "HostName",
+                        "columnName": "hostname"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "Illumio VEN Clone Detection for {{hostname}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio VEN Clone Detection Incident for {{hostname}}\n"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
+              "properties": {
+                "description": "IllumioSaaS Analytics Rule 4",
+                "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+                "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "IllumioSaaS",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "app-integrations@illumio.com"
+                },
+                "support": {
+                  "name": "Illumio",
+                  "email": "app-integrations@illumio.com",
+                  "tier": "Partner",
+                  "link": "https://www.illumio.com/support/support"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Illumio VEN Clone Detection Rule",
+        "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+        "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+        "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.2.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state",
+                "displayName": "Illumio VEN Deactivated Detection Rule",
+                "enabled": false,
+                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent.deactivate'\n| mv-expand resource_changes\n| extend hostname = resource_changes['resource']['workload']['hostname'],\n    workload_href = resource_changes['resource']['workload']['href'],\n    workload_labels = resource_changes['resource']['workload']['labels']\n| extend ipaddress = action.src_ip,       \n      ven_href = created_by.ven.href\n| project-away resource_changes, action, version \n",
+                "queryFrequency": "PT60M",
+                "queryPeriod": "PT60M",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "Illumio_Auditable_Events_CL"
+                    ],
+                    "connectorId": "IllumioSaaSDataConnector"
+                  }
+                ],
+                "tactics": [
+                  "DefenseEvasion"
+                ],
+                "techniques": [
+                  "T1562"
+                ],
+                "entityMappings": [
+                  {
+                    "entityType": "Host",
+                    "fieldMappings": [
+                      {
+                        "identifier": "HostName",
+                        "columnName": "hostname"
+                      }
+                    ]
+                  },
+                  {
+                    "entityType": "IP",
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "Illumio VEN Deactivated Incident for {{hostname}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio VEN Deactivated Incident for {{hostname}}\n"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
+              "properties": {
+                "description": "IllumioSaaS Analytics Rule 5",
+                "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+                "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "IllumioSaaS",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "app-integrations@illumio.com"
+                },
+                "support": {
+                  "name": "Illumio",
+                  "email": "app-integrations@illumio.com",
+                  "tier": "Partner",
+                  "link": "https://www.illumio.com/support/support"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Illumio VEN Deactivated Detection Rule",
+        "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+        "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+        "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.2.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Create Microsoft Sentinel Incident When Ven Goes Into Suspended state",
+                "displayName": "Illumio VEN Suspend Detection Rule",
+                "enabled": false,
+                "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent.suspend'\n| extend ipaddress = action.src_ip,\n      hostname = created_by.agent.hostname\n| project-away resource_changes, action, version        \n",
+                "queryFrequency": "PT60M",
+                "queryPeriod": "PT60M",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "Illumio_Auditable_Events_CL"
+                    ],
+                    "connectorId": "IllumioSaaSDataConnector"
+                  }
+                ],
+                "tactics": [
+                  "DefenseEvasion"
+                ],
+                "techniques": [
+                  "T1562"
+                ],
+                "entityMappings": [
+                  {
+                    "entityType": "Host",
+                    "fieldMappings": [
+                      {
+                        "identifier": "HostName",
+                        "columnName": "hostname"
+                      }
+                    ]
+                  },
+                  {
+                    "entityType": "IP",
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}\n",
+                  "alertDisplayNameFormat": "Illumio VEN Suspended Incident for {{hostname}}\n"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
+              "properties": {
+                "description": "IllumioSaaS Analytics Rule 6",
+                "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+                "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "IllumioSaaS",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "app-integrations@illumio.com"
+                },
+                "support": {
+                  "name": "Illumio",
+                  "email": "app-integrations@illumio.com",
+                  "tier": "Partner",
+                  "link": "https://www.illumio.com/support/support"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Illumio VEN Suspend Detection Rule",
+        "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+        "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+        "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
       "apiVersion": "2023-04-01-preview",
@@ -1075,7 +1453,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "IllumioSaaS",
         "publisherDisplayName": "Illumio",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 6</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -1133,6 +1511,21 @@
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
               "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
             }
           ]
         },
diff --git a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
index fcba9bda4d1..ae0456c5f53 100644
--- a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
+++ b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
@@ -12,9 +12,12 @@
         "Workbooks/IllumioWorkloadsStats.json"
     ],
     "Analytic Rules": [
-        "Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml",
         "Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml",
-        "Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml"
+        "Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Deactivated_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Suspend_Query.yaml"
     ],    
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS",
     "Version": "3.2.0",