Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removing second to minute conversion as selected unit is in second #2419

Closed
wants to merge 3 commits into from
Closed

Removing second to minute conversion as selected unit is in second #2419

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fce3139
Update WorkspaceUsage.json
samikroy Jun 7, 2021
1bf2334
Update WorkspaceUsage.json
samikroy Jun 7, 2021
c3cac31
Update WorkspaceUsage.json
samikroy Jun 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Workbooks/WorkspaceUsage.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2852,7 +2852,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//\r\n// Add enrichment information about selected Tables\r\n//\r\nlet enrich = datatable (TableName:string,Information:string,link:string)\r\n [\r\n \"Usage\",\"This is common Usage data in all Workspaces\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage\",\r\n \"Operation\",\"This is common Operations data in all Workspaces\",\"\",\r\n \"OfficeActivity\",\"This is a PUSH data source, typically <30mins (max ~1day)\",\"https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#what-is-the-maximum-time-i-will-have-to-wait-before-a-notification-is-sent-about-a-given-office-365-event\",\r\n \"Perf\",\"Operational Data source, this can have limited value to Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Event\",\"Windows Server Event Logs\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Syslog\", \"Syslog messages using Common Event Format (CEF) streamed from variety of security solutions.Learn more\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityAlert\",\"Security Alerts from various sources\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"Alert\",\"Alerts from Azure Monitor sources\",\"\",\r\n \"AWSCloudTrail\",\"Azure Sentinel: AWS Cloud trail connector\",\"\",\r\n \"Anomalies\",\"Azure Sentinel: This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.\",\"\",\r\n \"AADNonInteractiveUserSignInLogs\",\"Non-interactive Azure Active Directory sign-in logs from user\",\"\",\r\n \"SecurityEvent\",\"Data from Azure Security Center or Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"CommonSecurityLog\",\"CEF data for Azure Sentinel, from multiple vendors\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityIncident\",\"Incident events from Azure Sentinel, also see SecurityAlert\",\"\",\r\n \"Heartbeat\", \"MMA info from Log Analytics agents\",\"\",\r\n \"LAQueryLogs\",\"Auditing of the workspace has been set\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\",\r\n \"VMConnection\",\"Azure Monitor for VMs or Service Map\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/vmconnection\",\r\n \"KubeServices\",\"AKS data sources\",\"\",\r\n \"Update\",\"Patching info\",\"\", \r\n \"ThreatIntelligenceIndicator\",\"Azure Sentinel TI data\",\"\", \r\n \"AuditLogs\",\"Azure AAD audit information\",\"\", \r\n \"SigninLogs\",\"Azure AAD Signin information\",\"\", \r\n \"AzureActivity\",\"Azure Activity Logs\",\"\",\r\n \"HuntingBookmark\",\"Azure Sentinel - Hunting book mark data\",\"\", \r\n \"UserPeerAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"UserAccessAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"IdentityInfo\",\"Azure Sentinel - UEBA\",\"\", \r\n \"BehaviorAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"DeviceEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.\",\"\",\r\n \"DeviceFileEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains File creation, modification, and other file system events.\",\"\", \r\n \"DeviceImageLoadEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events\",\"\", \r\n \"DeviceInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.\",\"\", \r\n \"DeviceLogonEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events\",\"\", \r\n \"DeviceNetworkEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network connection and related events.\",\"\", \r\n \"DeviceNetworkInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.\",\"\", \r\n \"DeviceProcessEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Process creation and related events.\",\"\", \r\n \"DeviceRegistryEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Creation and modification of registry entries.\",\"\", \r\n \"DnsInventory\",\"DNS Analytics (Preview)\",\"\", \r\n \"W3CIISLog\",\"IIS log data from Azure Monitor Logs\",\"\"\r\n ]\r\n; \r\n// Gather and calculate Latency information\r\nunion withsource = TableName1 *\r\n| summarize \r\n ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2) \r\n , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))/60 ),2)\r\n by TableName = TableName1\r\n| sort by ['average E2E IngestionLatency'] desc\r\n// join to enrichment and remove unwanted columns \r\n| join kind= fullouter (enrich) on TableName\r\n| where isnotempty(TableName)\r\n| project-away TableName1\r\n",
"query": "//\r\n// Add enrichment information about selected Tables\r\n//\r\nlet enrich = datatable (TableName:string,Information:string,link:string)\r\n [\r\n \"Usage\",\"This is common Usage data in all Workspaces\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage\",\r\n \"Operation\",\"This is common Operations data in all Workspaces\",\"\",\r\n \"OfficeActivity\",\"This is a PUSH data source, typically <30mins (max ~1day)\",\"https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#what-is-the-maximum-time-i-will-have-to-wait-before-a-notification-is-sent-about-a-given-office-365-event\",\r\n \"Perf\",\"Operational Data source, this can have limited value to Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Event\",\"Windows Server Event Logs\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-data-sources\",\r\n \"Syslog\", \"Syslog messages using Common Event Format (CEF) streamed from variety of security solutions.Learn more\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityAlert\",\"Security Alerts from various sources\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"Alert\",\"Alerts from Azure Monitor sources\",\"\",\r\n \"AWSCloudTrail\",\"Azure Sentinel: AWS Cloud trail connector\",\"\",\r\n \"Anomalies\",\"Azure Sentinel: This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.\",\"\",\r\n \"AADNonInteractiveUserSignInLogs\",\"Non-interactive Azure Active Directory sign-in logs from user\",\"\",\r\n \"SecurityEvent\",\"Data from Azure Security Center or Azure Sentinel\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"CommonSecurityLog\",\"CEF data for Azure Sentinel, from multiple vendors\",\"https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources\",\r\n \"SecurityIncident\",\"Incident events from Azure Sentinel, also see SecurityAlert\",\"\",\r\n \"Heartbeat\", \"MMA info from Log Analytics agents\",\"\",\r\n \"LAQueryLogs\",\"Auditing of the workspace has been set\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit\",\r\n \"VMConnection\",\"Azure Monitor for VMs or Service Map\",\"https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/vmconnection\",\r\n \"KubeServices\",\"AKS data sources\",\"\",\r\n \"Update\",\"Patching info\",\"\", \r\n \"ThreatIntelligenceIndicator\",\"Azure Sentinel TI data\",\"\", \r\n \"AuditLogs\",\"Azure AAD audit information\",\"\", \r\n \"SigninLogs\",\"Azure AAD Signin information\",\"\", \r\n \"AzureActivity\",\"Azure Activity Logs\",\"\",\r\n \"HuntingBookmark\",\"Azure Sentinel - Hunting book mark data\",\"\", \r\n \"UserPeerAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"UserAccessAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"IdentityInfo\",\"Azure Sentinel - UEBA\",\"\", \r\n \"BehaviorAnalytics\",\"Azure Sentinel - UEBA\",\"\", \r\n \"DeviceEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.\",\"\",\r\n \"DeviceFileEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains File creation, modification, and other file system events.\",\"\", \r\n \"DeviceImageLoadEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events\",\"\", \r\n \"DeviceInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.\",\"\", \r\n \"DeviceLogonEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events\",\"\", \r\n \"DeviceNetworkEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network connection and related events.\",\"\", \r\n \"DeviceNetworkInfo\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.\",\"\", \r\n \"DeviceProcessEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Process creation and related events.\",\"\", \r\n \"DeviceRegistryEvents\",\"Azure Sentinel: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Creation and modification of registry entries.\",\"\", \r\n \"DnsInventory\",\"DNS Analytics (Preview)\",\"\", \r\n \"W3CIISLog\",\"IIS log data from Azure Monitor Logs\",\"\"\r\n ]\r\n; \r\n// Gather and calculate Latency information\r\nunion withsource = TableName1 *\r\n| summarize \r\n ['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))),2)\r\n , ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))),2) \r\n , ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff(\"Second\",ingestion_time(),TimeGenerated))),2)\r\n by TableName = TableName1\r\n| sort by ['average E2E IngestionLatency'] desc\r\n// join to enrichment and remove unwanted columns \r\n| join kind= fullouter (enrich) on TableName\r\n| where isnotempty(TableName)\r\n| project-away TableName1\r\n",
"size": 0,
"timeContext": {
"durationMs": 2592000000
Expand Down