Merge pull request #3783 from samikroy/patch-12

Adding Retention Tab

Workbooks/SentinelCentral.json

@@ -262,7 +262,8 @@
                     "showDefault": false
                   },
                   "jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]",
-                  "timeContextFromParameter": "TimeRange"
+                  "timeContextFromParameter": "TimeRange",
+                  "value": "Change Log"
                 }
               ],
               "style": "above",
@@ -274,7 +275,7 @@
           {
             "type": 1,
             "content": {
-              "json": "## Sentinel Central\r\n### Change Log\r\nUse this report to view Incident and Alert data across many workspaces (works with Azure Lighthouse)\r\n\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.2| View Alerts from multiple workspaces (Azure Lighhouse compatiable)|\r\n|v1.3| MSSP release |\r\n|v1.4| Add Workspace info |\r\n|v1.5| Add Workspace info |\r\n|v2.0| Multi workspace hunting. per Region selection from main drop down. |\r\n"
+              "json": "## Sentinel Central\r\n### Change Log\r\nUse this report to view Incident and Alert data across many workspaces (works with Azure Lighthouse)\r\n\r\n\r\n|Version|Description|\r\n|---|---|\r\n|v1.2| View Alerts from multiple workspaces (Azure Lighhouse compatiable)|\r\n|v1.3| MSSP release |\r\n|v1.4| Add Workspace info |\r\n|v1.5| Add Workspace info |\r\n|v2.0| Multi workspace hunting. per Region selection from main drop down. |\r\n|v2.1| Addition of Workspace and Table specific retention. |\r\n"
             },
             "customWidth": "50",
             "conditionalVisibility": {
@@ -287,7 +288,7 @@
           {
             "type": 1,
             "content": {
-              "json": "## Sentinel Central Help\r\n#### Data sources: REST api, SentinelIncident and SecurityAlert Tables\r\n\r\n## Incident Overview: \r\nUse this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to. The Workbook is not intended to replace the Multiple Incidents across Workspace view/feature in the Azure Sentinel UI, it's just a way of seeing the data in a different way.\r\n- Workspaces not linked to Azure Sentinel will not be shown.\r\n\r\n## Hunting\r\nThis option allows you to use your own KQL (which you can write within the page, or copy from an example or existing query). This will run against *any* of the Workspaces you have selected in the parameters (local or via Azure Lighthouse), please remember the more Workspaces and time range selected, the slower the results.\r\n- Use case, this allows you to enter a simple KQL query that doesn’t need the prefix of\tworkspace(\"my workspace name\").my table name \r\n\r\ne.g. workspace(Demo\").Usage | limit 10\r\n\r\nor \r\n\r\n//Example query \r\nSecurityIncident\r\n| summarize High = countif(Severity ==\"High\"), Medium = countif(Severity ==\"Medium\"), MyIncidents=make_set(IncidentNumber ) by WorkspaceId=TenantId\r\n\r\n##### Note:\r\nIn your query it maybe useful to have the workspace ID returned, to do this you get the data from the TenantID column, as this name can be confusing we suggest you re-map it to WorkspaceID.\r\ne.g.\r\n•\tSecurityIncident | summarize count() by WorkspaceId=TenantId\r\n\r\n## Query Packs\r\nIf you are using Query Packs, use this Tab to open one (from any Resource Group), you can then click on a Query Pack and then on an individual query to run it. \r\n\r\n- Use case, storing queries this way enables you to share them and secure them (ARM and RBAC), this methods allows you to stay within the workbook to find and execute your queries.\r\n## Saved Searches\r\nAny Saved Searches from a selected Workspace can be run from this tab. \r\n\r\n- Use Case, you can see (if you have read rights) saved searches in a selected Workspace and click to run them. Much like the Query Pack method above.\r\n\r\n\r\n"
+              "json": "## Sentinel Central Help\r\n#### Data sources: REST api, SentinelIncident and SecurityAlert Tables\r\n\r\n## Incident Overview: \r\nUse this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to. The Workbook is not intended to replace the Multiple Incidents across Workspace view/feature in the Azure Sentinel UI, it's just a way of seeing the data in a different way.\r\n- Workspaces not linked to Azure Sentinel will not be shown.\r\n\r\n## Hunting\r\nThis option allows you to use your own KQL (which you can write within the page, or copy from an example or existing query). This will run against *any* of the Workspaces you have selected in the parameters (local or via Azure Lighthouse), please remember the more Workspaces and time range selected, the slower the results.\r\n- Use case, this allows you to enter a simple KQL query that doesn’t need the prefix of\tworkspace(\"my workspace name\").my table name \r\n\r\ne.g. workspace(Demo\").Usage | limit 10\r\n\r\nor \r\n\r\n//Example query \r\nSecurityIncident\r\n| summarize High = countif(Severity ==\"High\"), Medium = countif(Severity ==\"Medium\"), MyIncidents=make_set(IncidentNumber ) by WorkspaceId=TenantId\r\n\r\n##### Note:\r\nIn your query it maybe useful to have the workspace ID returned, to do this you get the data from the TenantID column, as this name can be confusing we suggest you re-map it to WorkspaceID.\r\ne.g.\r\n•\tSecurityIncident | summarize count() by WorkspaceId=TenantId\r\n\r\n## Query Packs\r\nIf you are using Query Packs, use this Tab to open one (from any Resource Group), you can then click on a Query Pack and then on an individual query to run it. \r\n\r\n- Use case, storing queries this way enables you to share them and secure them (ARM and RBAC), this methods allows you to stay within the workbook to find and execute your queries.\r\n## Saved Searches\r\nAny Saved Searches from a selected Workspace can be run from this tab. \r\n\r\n- Use Case, you can see (if you have read rights) saved searches in a selected Workspace and click to run them. Much like the Query Pack method above.\r\n\r\n## Retention\r\nWorkspace and Table specific retention can be viewed in this tab.\r\n\r\n- Use Case, you can see (if you have read rights) the same or different level retention set on a table in a selected Workspace.\r\n\r\n\r\n"
             },
             "customWidth": "50",
             "conditionalVisibility": {
@@ -339,6 +340,14 @@
             "linkLabel": "Saved Searches",
             "subTarget": "saved",
             "style": "link"
+          },
+          {
+            "id": "16449876-2e6f-4c55-9931-30b5d82baead",
+            "cellValue": "selectedTab",
+            "linkTarget": "parameter",
+            "linkLabel": "Retention",
+            "subTarget": "retention",
+            "style": "link"
           }
         ]
       },
@@ -2012,33 +2021,9 @@
                   }
                 ],
                 "labelSettings": [
-                  {
-                    "columnId": "name"
-                  },
                   {
                     "columnId": "body",
                     "label": "Query"
-                  },
-                  {
-                    "columnId": "description"
-                  },
-                  {
-                    "columnId": "tags"
-                  },
-                  {
-                    "columnId": "lastModifiedAt"
-                  },
-                  {
-                    "columnId": "lastModifiedBy"
-                  },
-                  {
-                    "columnId": "createdBy"
-                  },
-                  {
-                    "columnId": "createdByType"
-                  },
-                  {
-                    "columnId": "createdAt"
                   }
                 ]
               },
@@ -2252,8 +2237,90 @@
         "value": "saved"
       },
       "name": "group - kql"
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "title": "Workspace and Table Retention: Select a Workspace to check Workspace and Table Retention",
+        "items": [
+          {
+            "type": 9,
+            "content": {
+              "version": "KqlParameterItem/1.0",
+              "crossComponentResources": [
+                "{Subscription}"
+              ],
+              "parameters": [
+                {
+                  "id": "54ab7c42-3983-46fd-bb6b-9a1d206eec3a",
+                  "version": "KqlParameterItem/1.0",
+                  "name": "Workspace",
+                  "type": 5,
+                  "description": "Lookup Workspace and Table Retention",
+                  "isRequired": true,
+                  "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| extend customerID = trim(' ', tostring(properties.customerId))\r\n| project id, customerID, name=tolower(name)\r\n|join \r\n(\r\n\tresources\r\n\t// Just show Workspaces that have Sentinel enabled\r\n\t| where type =~ \"microsoft.operationsmanagement/solutions\"\r\n\t| where name has \"SecurityInsights\"\r\n\t| parse name with * '(' s_workspace ')'*\r\n\t| project name=tolower(s_workspace)\r\n) on name\r\n| project tolower(id), customerID, name",
+                  "crossComponentResources": [
+                    "{Subscription}"
+                  ],
+                  "typeSettings": {
+                    "additionalResourceOptions": [],
+                    "showDefault": false
+                  },
+                  "timeContext": {
+                    "durationMs": 86400000
+                  },
+                  "queryType": 1,
+                  "resourceType": "microsoft.resourcegraph/resources"
+                }
+              ],
+              "style": "above",
+              "queryType": 1,
+              "resourceType": "microsoft.resourcegraph/resources"
+            },
+            "name": "parameters - 3"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscription}/resourceGroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}?api-version=2017-04-26-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"columns\":[{\"path\":\"id\",\"columnid\":\"Workspace\"},{\"path\":\"properties.retentionInDays\",\"columnid\":\"RetentionInDays\"},{\"path\":\"location\",\"columnid\":\"Location\"},{\"path\":\"properties.workspaceCapping.dailyQuotaGb\",\"columnid\":\"DailyQuotaGb\"},{\"path\":\"properties.sku.name\",\"columnid\":\"SkuName\"}]}}]}",
+              "size": 4,
+              "showExportToExcel": true,
+              "queryType": 12,
+              "gridSettings": {
+                "rowLimit": 10000,
+                "filter": true
+              }
+            },
+            "name": "query - 12"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscription}/resourceGroups/{Workspace:resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/Tables?api-version=2017-04-26-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value\",\"columns\":[{\"path\":\"name\",\"columnid\":\"TableName\"},{\"path\":\"properties.retentionInDays\",\"columnid\":\"RetentionInDays\"}]}}]}",
+              "size": 3,
+              "showExportToExcel": true,
+              "queryType": 12,
+              "gridSettings": {
+                "rowLimit": 10000,
+                "filter": true
+              }
+            },
+            "name": "query - 13"
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "retention"
+      },
+      "name": "group - retention"
     }
   ],
   "fromTemplateId": "sentinel-SentinelCentral",
   "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+}

Workbooks/WorkbooksMetadata.json

@@ -1319,7 +1319,7 @@
     "dataTypesDependencies": [],
     "dataConnectorsDependencies": [],
     "previewImagesFileNames": [ "SentinelCentralBlack.png", "SentinelCentralWhite.png"],
-    "version": "2.0",
+    "version": "2.1",
     "title": "Sentinel Central",
     "templateRelativePath": "SentinelCentral.json",
     "subtitle": "",