diff --git a/Scenarios/How to get insights into App Control (WDAC) events/DCR-WDAC.json b/Scenarios/How to get insights into App Control (WDAC) events/DCR-WDAC.json
deleted file mode 100644
index 796163f8..00000000
--- a/Scenarios/How to get insights into App Control (WDAC) events/DCR-WDAC.json	
+++ /dev/null
@@ -1,76 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "ruleName": {
-            "defaultValue": "DCR-WDAC",
-            "type": "String",
-            "metadata": {
-                "description": "Specifies the name of the data collection rule to create."
-            }
-        },
-        "workspaceResourceId": {
-            "type": "String",
-            "metadata": {
-                "description": "The specification of destinations."
-            }
-        },
-        "WorkspaceLocation": {
-            "type": "String",
-            "metadata": {
-                "description": "Specifies the location in which to create the data collection rule."
-            }
-        },
-        "apiVersion": {
-            "defaultValue": "2022-06-01",
-            "type": "String",
-            "metadata": {
-                "description": "Specifies the api version to use when deploying data collection rule template."
-            }
-        }
-    },
-    "resources": [
-        {
-            "type": "Microsoft.Insights/dataCollectionRules",
-            "apiVersion": "[parameters('apiVersion')]",
-            "name": "[parameters('ruleName')]",
-            "location": "[parameters('WorkspaceLocation')]",
-            "kind": "Windows",
-            "properties": {
-                "dataSources": {
-                    "windowsEventLogs": [
-                        {
-                            "streams": [
-                                "Microsoft-Event"
-                            ],
-                            "scheduledTransferPeriod": "PT5M",
-                            "xPathQueries": [
-                            "Microsoft-Windows-CodeIntegrity/Operational!*[System[(EventID=3076 or EventID=3077 or EventID=3089 or EventID=3099)]]"
-                            ],
-                            "name": "eventLogsDataSource"
-                        }
-                    ]
-                },
-                "destinations": {
-                    "logAnalytics": [
-                        {
-                            "workspaceResourceId": "[parameters('workspaceResourceId')]",
-                            "name": "LogAnalyticsDestination"
-                        }
-                    ]
-                },
-                "dataFlows": [
-                    {
-                        "streams": [
-                            "Microsoft-Event"
-                        ],
-                        "destinations": [
-                            "LogAnalyticsDestination"
-                        ]
-                    }
-                ],
-                "streamDeclarations": {}
-            }
-        }
-    ]
-}
diff --git a/Scenarios/How to get insights into App Control (WDAC) events/picture/LogAnalytics.png b/Scenarios/How to get insights into App Control (WDAC) events/picture/LogAnalytics.png
deleted file mode 100644
index 6169f8c3..00000000
Binary files a/Scenarios/How to get insights into App Control (WDAC) events/picture/LogAnalytics.png and /dev/null differ
diff --git a/Scenarios/How to get insights into App Control (WDAC) events/readme.md b/Scenarios/How to get insights into App Control (WDAC) events/readme.md
index 6ed7ab45..dc6227dc 100644
--- a/Scenarios/How to get insights into App Control (WDAC) events/readme.md	
+++ b/Scenarios/How to get insights into App Control (WDAC) events/readme.md	
@@ -1,107 +1,7 @@
 # How to get insights into App Control for Business (WDAC) events
 <br />
-
-## Change History
-
-| Version | Date  | What |
-| ------------- |-----| -----|
-| v1.0|2024-04| first Version, publish DCR and Workbook |
-| v1.1|2024-09| Upgraded Visualizations for File events. Updated Documentation|
-| v1.2|2025-01| Upgraded workbook to handle SHA1 & SHA256 Hashes|
-
-<br />
-
-## Description
-This scenario gives you insights into App Control for Business (WDAC) events collected from Windows machines. 
-This DCR and Workbook works with any Azure VM or Arc Server resource type emmiting Application Control for Business (WDAC) windows events.
-
-This scenario provides the next capabilities:
-- Collect and send to Log analytics workspace Windows Event logs for App Control for business.
-- Identify file and policy events activities, providing various dashoards, charts, filter and export capabilities to help customers analyze and troubleshoot App Control policies effects and status.
-- Refine your App Control for business policies, by exporting the workbook data and ingesting it in WDAC Wizards. For more information, see [WDAC Wizard documentation](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard).
-
-## Try on Portal
-### Deploy DCR
-
-The Data Collection Rule (DCR) leveraged by the Azure Monitor Agent (AMA) will collect Code Integrity/Operational Event logs channel IDs: 3076,3077,3089,3099. For more information, see [WDAC documentation](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations#wdac-block-events-for-executables-dlls-and-drivers).
-
-> [!NOTE]
-> Dont forget to assign this DCR to your machines after being created to start collecting the events that fills the workbook data.
-
-You can deploy the DCR by clicking on the buttons below:<br />
-<a 
-href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzureMonitorCommunity%2Fmaster%2FScenarios%2FHow%2520to%2520get%2520insights%2520into%2520App%2520Control%2520(WDAC)%2520events%2FDCR-WDAC.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
-<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzureMonitorCommunity%2Fmaster%2FScenarios%2FHow%2520to%2520get%2520insights%2520into%2520App%2520Control%2520(WDAC)%2520events%2FDCR-WDAC.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
-
-### Deploy Workbook
-
-The Azure Workbook which visualize data collected by the Azure Monitoring Agent (AMA) and stored to a Log Analytics Workspace.:<br />
-
-<br />
-You can deploy the workbook by clicking on the buttons below:<br />
-<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzureMonitorCommunity%2Fmaster%2FScenarios%2FHow%2520to%2520get%2520insights%2520into%2520App%2520Control%2520(WDAC)%2520events%2Fworkbook.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
-<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzureMonitorCommunity%2Fmaster%2FScenarios%2FHow%2520to%2520get%2520insights%2520into%2520App%2520Control%2520(WDAC)%2520events%2Fworkbook.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
-
-<br /><br />
-### Pre-requisites for using the worbook.
-** **
-- Install and configure Arc for Server
-  Connect hybrid machines to Azure using a deployment script
-  https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal
-  
-- Install and Configure AMA agent
-  Deploy Azure Monitor agent on Arc-enabled servers
-  https://learn.microsoft.com/en-us/azure/azure-arc/servers/concept-log-analytics-extension-deployment
-  
-- Enable VM extension from the Azure portal
-  https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-portal
-  
-- Deploy DCR
-  The Data collector rule (DCR) is the definition that tells the AMA agent what to collect, this is filters, enriches, and transforms the data before sending it to LA.
-
-  Before you start the deployment of the DCR, you need to note the information of your LA workspace as explained below:
-    - Go to LA workspace list in your subscription https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces
-    - Select the one you will be using, go to propierties and copy the Workspace ID and Resource ID (image below):
-  
-    ![Log Analytics ResID and Location](./picture/LogAnalytics.png)
-
-- Assign your DCR
-    - Go to DCR section in your subscription https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules
-    - Select the new deployed DCRs, the default name is “DCR-WDAC”
-    - Select the DCR, go to Configuration-> Resources and Add your Arc Enabled Servers
-    - Select your Arc server, select it, and click Apply. 
-
-- Deploy Workbook
-    - Go to the "Deploy Workbook section above"
-    - Select Deploy to Azure or Azure Gov button
-    - Select the empty setting from the template (Resource Group)
-    - Select Review and Create and then Create.
-
-<br /><br />
-### Worbook Usage.
-** **
-- View and Analyze your Data
-  You can view and analyze your data in LA, currently the worbook provides:
-  - File Audit/Block Events (events 3076/3077/3089)
-  - Policy inventory and change tracking (event 3099)
-  - Correlated events in graphic view
-  - Export events
-      - Visualization in Excel
-      - Ingestion in WDAC Wizard
-  
-  To view and analyze your data in LA, follow these steps:
-  - Go to your Azure Monitor Workbooks section in the Azure portal
-    https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/workbooks
-  - Type the search section “App Control” to find the new deployed Workbook.
-  - Open the Workbook by selecting it from Azure monitor / workbooks section.
-  - Navigate through the AppControl activity tabs in the workbook.
-
-  The workbook contains many filters and visualizations, get familiar with them to undertand:
-  - Identify potential malware, if missed by antimalware solutions.
-  - Identify software that's banned by your organization.
-  - Identity additional rules to created to “authorize” legitimate software.
-    
+   
 > [!NOTE]
-> To be able to visualize the data, DCR and Events should properly flow to your LA workspace, even when all is properly configured, can take up to 1h to show in the workbook.
+> This content has been moved, please use [aka.ms/appcontrolworkbook](https://aka.ms/appcontrolworkbook)
 
 <br /><br />
diff --git a/Scenarios/How to get insights into App Control (WDAC) events/workbook.json b/Scenarios/How to get insights into App Control (WDAC) events/workbook.json
deleted file mode 100644
index f5e75c17..00000000
--- a/Scenarios/How to get insights into App Control (WDAC) events/workbook.json	
+++ /dev/null
@@ -1,57 +0,0 @@
-{
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    "workbookDisplayName": {
-      "type": "string",
-      "defaultValue": "Security Insights - App Control for Business",
-      "metadata": {
-        "description": "The friendly name for the workbook that is used in the Gallery or Saved List.  This name must be unique within a resource group."
-      }
-    },
-    "workbookType": {
-      "type": "string",
-      "defaultValue": "workbook",
-      "metadata": {
-        "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'"
-      }
-    },
-    "workbookSourceId": {
-      "type": "string",
-      "defaultValue": "azure monitor",
-      "metadata": {
-        "description": "The id of resource instance to which the workbook will be associated"
-      }
-    },
-    "workbookId": {
-      "type": "string",
-      "defaultValue": "[newGuid()]",
-      "metadata": {
-        "description": "The unique guid for this workbook instance"
-      }
-    }
-  },
-  "resources": [
-    {
-      "name": "[parameters('workbookId')]",
-      "type": "microsoft.insights/workbooks",
-      "location": "[resourceGroup().location]",
-      "apiVersion": "2022-04-01",
-      "dependsOn": [],
-      "kind": "shared",
-      "properties": {
-        "displayName": "[parameters('workbookDisplayName')]",
-        "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Security Insights for Code Integrity\\r\\n---\\r\\nThis workbook shows insights for the code Integrity policies in your devices. \\r\\nThe data is splitted in three major areas: \\r\\n\\r\\n\\tApp Control File Events \\r\\n\\tApp Control Policy Events\\r\\n\\tApp Control object's relationships in visual graph\\r\\n\\r\\nPlease select the proper tab to access the information.\\r\\n\\r\\n---\\r\\n&nbsp;&nbsp;\\r\\n\\r\\n\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"##### Select the Log Analytics Workspace and Time Range\"},\"name\":\"subscriptonFilterText\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"40b28eb1-aad1-4096-b338-55c61d20cbdc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"dd441f52-8ce6-4f68-a5e4-8505914d77ed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"description\":\"Select Subscription of your Log Analytics Workspace\",\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"07fc9063-0c85-4b56-85ec-bb607f0293ad\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select Log Analytics Workspace\",\"isRequired\":true,\"isGlobal\":true,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n//| where subscriptionId == '{Subscription:id}'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"/subscriptions/9758f8b4-a201-41e3-93c0-b5a44dd0e37f/resourceGroups/RG01/providers/Microsoft.OperationalInsights/workspaces/OMS-03\"},{\"id\":\"9d382099-bc5e-40a5-b419-634cc81c9da9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"⏱️ Time Range\",\"type\":4,\"description\":\"Select a Time Range of Logs that should be queried\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2592000000}}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"workspaceParameters\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"40\",\"name\":\"SubscriptionParameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"##### Select the Computer Objects to be considered\"},\"name\":\"subscriptonFilterText\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1a9a3e6a-6b79-40e6-af2b-0de717997e4d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComputerSubscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where Source == \\\"Microsoft-Windows-CodeIntegrity\\\"\\r\\n| distinct subscriptions = tostring(split(_ResourceId,\\\"/\\\",2)[0])\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Subscription\"},{\"id\":\"6c90003e-2dd3-49f9-ae20-ff935be39041\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComputerResourceGroup\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where Source == \\\"Microsoft-Windows-CodeIntegrity\\\"\\r\\n| where tostring(split(_ResourceId,\\\"/\\\",2)[0]) in ({ComputerSubscription:subid})\\r\\n| distinct RG = tostring(split(_ResourceId,\\\"/\\\",4)[0])\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Resource Group\"},{\"id\":\"0e07e825-c123-4051-8162-27ccf91d78dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComputerType\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"microsoft.\\\", \\\"label\\\": \\\"all\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"microsoft.hybridcompute\\\", \\\"label\\\": \\\"Arc\\\" },\\r\\n    { \\\"value\\\": \\\"microsoft.compute\\\", \\\"label\\\": \\\"Azure\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Type\"},{\"id\":\"2970ef88-4e70-4301-9287-9b5f28e0787f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Computer\",\"type\":2,\"description\":\"Computers with audit/blocked file or policy events, by number of events and type\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where EventID in (3077,3076,3099)\\r\\n| where tostring(split(_ResourceId,\\\"/\\\",2)[0]) in ({ComputerSubscription:subid})\\r\\n| where tostring(split(_ResourceId,\\\"/\\\",4)[0]) in ({ComputerResourceGroup})\\r\\n| where tostring(split(_ResourceId,\\\"/\\\",6)[0]) startswith '{ComputerType}'\\r\\n| summarize FileAudit=countif(EventID==3076),FileBlock=countif(EventID==3077),Policy=countif(EventID==3099) by Computer,_ResourceId\\r\\n| extend display = strcat(Computer,\\\" | File-Audit/Block \\\",FileAudit,\\\"|\\\",FileBlock,\\\", Policy \\\",Policy)\\r\\n| project _ResourceId, display\\r\\n| sort by display asc\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Computer Filter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"40\",\"name\":\"LAWParameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let event_data = Event\\r\\n| where (EventID == 3077  or EventID == 3076 )\\r\\n| summarize ComputersWithEventData = dcount(_ResourceId);\\r\\n\\r\\n\\r\\nlet event_Policy = Event\\r\\n| where (EventID == 3099)\\r\\n| summarize ComputersWithEventPolicy = dcount(_ResourceId);\\r\\n\\r\\n\\r\\n\\r\\nlet heartbeat_data = Heartbeat\\r\\n| summarize AllComputers = dcount(_ResourceId);\\r\\n\\r\\nunion\\r\\n(\\r\\n    heartbeat_data\\r\\n    | extend Activity = \\\"All Computers\\\", Count = AllComputers\\r\\n),\\r\\n\\r\\n(\\r\\n    event_Policy\\r\\n    | extend Activity = \\\"Computers With Policy Event\\\", Count = ComputersWithEventPolicy\\r\\n),\\r\\n(\\r\\n    event_data\\r\\n    | extend  Activity = \\\"Computers with File Events\\\", Count = ComputersWithEventData\\r\\n)\\r\\n\\r\\n\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"name\":\"Computers with File Events\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"20771732-ace5-41da-95b3-e5c330222dcf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File Events\",\"subTarget\":\"FileEvents\",\"preText\":\"ClickEvents\",\"style\":\"link\"},{\"id\":\"01c06fe7-c051-4bc2-9449-a24ecd2c8c73\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Policy Events\",\"subTarget\":\"PolicyInsights\",\"style\":\"link\"},{\"id\":\"3951e6d6-c029-4b58-b4d5-cdef3bb193fe\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Graph\",\"subTarget\":\"Graph\",\"style\":\"link\"}]},\"name\":\"tabParameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"File Events\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f0ebea62-17a3-4d37-8a21-a3dcb4074e19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyID\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where EventID in (3076,3077) \\r\\n| distinct PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n| sort by PolicyID asc\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"23046908-6782-4162-9431-45a48f60d349\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"3076,3077\\\", \\\"label\\\": \\\"All\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"3076\\\", \\\"label\\\": \\\"Audit\\\" },\\r\\n    { \\\"value\\\": \\\"3077\\\", \\\"label\\\": \\\"Block\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"FileEventsFilter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FileEvents = Event\\r\\n    | where EventID in (3076,3077)\\r\\n    | where _ResourceId in ({Computer}) \\r\\n    | where EventID in ({Action})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyID in ({PolicyID});\\r\\nFileEvents\\r\\n| union (\\r\\n    range x from 1 to 1 step 1\\r\\n    | mv-expand TimeGenerated=range(now(-7d),now(),5m) to typeof(datetime )\\r\\n    | extend Audit=0\\r\\n    | extend Block=0\\r\\n)\\r\\n| summarize Audit=countif(EventID==3076), Block=countif(EventID==3077) by bin(TimeGenerated,5m)\",\"size\":0,\"title\":\"Time Brush File Events, last 7 Days (overrides Time Range)\",\"timeContext\":{\"durationMs\":604800000},\"timeBrushParameterName\":\"TimeRange\",\"timeBrushExportOnlyWhenBrushed\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}],\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Audit\",\"color\":\"blue\"},{\"seriesName\":\"Block\",\"color\":\"red\"}]}},\"name\":\"TimeBrush_FileEvents\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where EventID in (3076,3077) \\r\\n| where EventID in ({Action})\\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyID in ({PolicyID})\\r\\n| where _ResourceId in ({Computer})\\r\\n| extend Action = iff(EventID == 3076, \\\"Audit\\\", \\\"Blocked\\\")\\r\\n| sort by TimeGenerated\\r\\n| summarize count() by Action\",\"size\":3,\"title\":\"Action Overview\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"Computer\",\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"redDark\"},{\"seriesName\":\"Audit\",\"color\":\"blue\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"30\",\"name\":\"actionoverview\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where EventID in (3076,3077) \\r\\n| where EventID in ({Action})\\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyID in ({PolicyID})\\r\\n| where _ResourceId in ({Computer})\\r\\n| summarize Blocked=countif(EventID == 3077), Audit=countif(EventID == 3076), count() by _ResourceId\\r\\n| join kind=fullouter (\\r\\n    Event\\r\\n    | where EventID in (3076) \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | make-series AuditTrend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by _ResourceId\\r\\n    ) on _ResourceId\\r\\n| join kind=fullouter (\\r\\n    Event\\r\\n    | where EventID in (3077) \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | make-series BlockedTrend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by _ResourceId\\r\\n    ) on _ResourceId\\r\\n| project-away _ResourceId1, _ResourceId2, TimeGenerated, TimeGenerated1\\r\\n| sort by Blocked \\r\\n| project Computer = _ResourceId, Blocked, BlockedTrend, Audit, AuditTrend\\r\\n\",\"size\":0,\"title\":\"Action by Computer\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Blocked\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"BlockedTrend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"Audit\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"AuditTrend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":5}],\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xAxis\":\"Computer\",\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"redBright\"},{\"seriesName\":\"Audit\",\"color\":\"green\"}]}},\"customWidth\":\"70\",\"name\":\"actionbycomputer\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Show additonal Information\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"65030c8f-9b90-42f7-8c76-d98f3ab32ca4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"top10process\",\"label\":\"Top Processes\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"10000\\\", \\\"label\\\": \\\"All\\\"},\\r\\n    { \\\"value\\\": \\\"5\\\", \\\"label\\\": \\\"Top 5\\\" },\\r\\n    { \\\"value\\\": \\\"10\\\", \\\"label\\\": \\\"Top 10\\\" },\\r\\n    { \\\"value\\\": \\\"15\\\", \\\"label\\\": \\\"Top 15\\\" },\\r\\n    { \\\"value\\\": \\\"20\\\", \\\"label\\\": \\\"Top 20\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2edceed7-a4cb-4734-a50c-952073b82bea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"top10publisher\",\"label\":\"Top Publisher\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"10000\\\", \\\"label\\\": \\\"All\\\"},\\r\\n    { \\\"value\\\": \\\"5\\\", \\\"label\\\": \\\"Top 5\\\" },\\r\\n    { \\\"value\\\": \\\"10\\\", \\\"label\\\": \\\"Top 10\\\" },\\r\\n    { \\\"value\\\": \\\"15\\\", \\\"label\\\": \\\"Top 15\\\" },\\r\\n    { \\\"value\\\": \\\"20\\\", \\\"label\\\": \\\"Top 20\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"8d23838e-f56a-48f2-9544-dae4671da73b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"top10issuer\",\"label\":\"Top Issuer\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"10000\\\", \\\"label\\\": \\\"All\\\"},\\r\\n    { \\\"value\\\": \\\"5\\\", \\\"label\\\": \\\"Top 5\\\" },\\r\\n    { \\\"value\\\": \\\"10\\\", \\\"label\\\": \\\"Top 10\\\" },\\r\\n    { \\\"value\\\": \\\"15\\\", \\\"label\\\": \\\"Top 15\\\" },\\r\\n    { \\\"value\\\": \\\"20\\\", \\\"label\\\": \\\"Top 20\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"de9fd8b7-0e85-41a8-971f-b08938d0b865\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FileSummarybyProcess\",\"label\":\"File Summary by Process\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"10000\\\", \\\"label\\\": \\\"All\\\"},\\r\\n    { \\\"value\\\": \\\"5\\\", \\\"label\\\": \\\"Top 5\\\" },\\r\\n    { \\\"value\\\": \\\"10\\\", \\\"label\\\": \\\"Top 10\\\" },\\r\\n    { \\\"value\\\": \\\"15\\\", \\\"label\\\": \\\"Top 15\\\" },\\r\\n    { \\\"value\\\": \\\"20\\\", \\\"label\\\": \\\"Top 20\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"distinctbyuniquefile\",\"label\":\"Distinct by unique File\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"e2fb3390-0620-4c49-b810-8f29fb4878e0\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"showadditinalinfoparameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let original_query = Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend Process = tostring(parse_path(ProcessName).Filename)\\r\\n    | summarize Count = count() by Process, EventID \\r\\n    | evaluate pivot(EventID, sum(Count));\\r\\n\\r\\nlet total_count_query = Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend Process = tostring(parse_path(ProcessName).Filename)\\r\\n  \\r\\n    | summarize TotalCount = count() by Process ;\\r\\n\\r\\noriginal_query\\r\\n    | join kind=inner (total_count_query) on Process\\r\\n\\r\\n    | extend tiletop = strcat(Process, \\\", [\\\", TotalCount ,\\\"]\\\")\\r\\n    | top {top10process} by TotalCount desc\\r\\n\",\"size\":3,\"title\":\"{top10process:label} Process Name \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"tiletop\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},\"leftContent\":{\"columnMatch\":\"3077\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"Blocked\"}},\"rightContent\":{\"columnMatch\":\"3076\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"blue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"Audit\"}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"top10process\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"Top Process Name\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Working with App Control event \\r\\nlet publisher = Event\\r\\n    | where EventID == 3089 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PublisherName = extract('<Data Name=\\\"PublisherName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    //new to review    | summarize arg_max(TimeGenerated, *) by Hash results with holder ( ayman ) \\r\\n    | summarize arg_max(TimeGenerated, *) by Hash\\r\\n    | summarize by PublisherName, Hash, Computer;\\r\\n    \\r\\n// Working with File event \\r\\nlet clickevent = Event\\r\\n    | where EventID in (3076, 3077) \\r\\n    | where EventID in ({Action})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, SHA256_Hash, EventID;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha256 = strcat(Hash, Computer)\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, EventID, PublisherName;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha1 = strcat(Hash, Computer)\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, EventID, PublisherName;\\r\\n\\r\\n// Combine results and remove duplicates\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| where isnotempty(PublisherName)\\r\\n| summarize Count = count() by PublisherName = coalesce(PublisherName, \\\"<Empty>\\\")\\r\\n| sort by Count\\r\\n| top {top10publisher} by Count\\r\\n\",\"size\":3,\"title\":\"{top10publisher:label} Publisher Name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Process\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false},\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"top10publisher\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"Top Publisher Name\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Working with App Control event \\r\\nlet Issuer = Event\\r\\n    | where EventID == 3089 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    //| where TimeGenerated > ago(60d)\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend IssuerName = extract('<Data Name=\\\"IssuerName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>',1,EventData)\\r\\n     //new to review    | summarize arg_max(TimeGenerated, *) by Hash results with holder ( ayman ) \\r\\n    | summarize arg_max(TimeGenerated, *) by Hash\\r\\n    | summarize by IssuerName, Hash, Computer;\\r\\n// Working with File event \\r\\nlet clickevent = Event\\r\\n    | where EventID in (3076, 3077) \\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, SHA256_Hash, EventID;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        Issuer\\r\\n        | extend joinvalue_sha256 = strcat(Hash, Computer)\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, EventID, IssuerName;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        Issuer\\r\\n        | extend joinvalue_sha1 = strcat(Hash, Computer)\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, EventID, IssuerName;\\r\\n\\r\\n// Combine results and remove duplicates\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| where isnotempty(IssuerName)\\r\\n| summarize Count = count() by IssuerName = coalesce(IssuerName, \\\"<Empty>\\\")\\r\\n| sort by Count\\r\\n| top {top10issuer} by Count\\r\\n\",\"size\":3,\"title\":\"{top10issuer:label} Issuer Name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Process\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false},\"chartSettings\":{\"yAxis\":[\"Count\"],\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"top10issuer\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"Top Issuer Name\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"File Summary by Process\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\r\\n<table style=\\\"border-collapse: collapse; width: 100%; color: white; font-family: Arial, sans-serif;\\\">\\r\\n  <caption style=\\\"font-size: 18px; color:red; text-align: left;\\\">Tile Definition Example: <br/><br/></caption>\\r\\n  <tr>\\r\\n    <th colspan=\\\"3\\\" style=\\\"padding: 10px;background-color: lightgray; font-size: 18px; font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; text-align: left; color: #0074D9;\\\">File Name <br/><span style=\\\"font-size:0.6em\\\">Is the affected file being audit or blocked by the</span><br/><span style=\\\"font-size:0.6em\\\">application control layer in the OS</span></th>\\r\\n  </tr>\\r\\n  <tr>\\r\\n    <th colspan=\\\"3\\\" style=\\\"padding: 10px;color:black; background-color:lightgray; font-size: 16px; font-family: 'Segoe UI Light', Tahoma, Geneva, Verdana, sans-serif; text-align: left;\\\">Process Name <br/><span style=\\\"font-size: 0.6em\\\">This is the caller process which trigger <br>the application control file name action</span></th>\\r\\n  </tr>\\r\\n  <tr>\\r\\n    <td style=\\\"padding: 10px; font-size: 18px;color:black; background-color:lightgray; text-align: left;\\\"><strong>Total Events</strong></td>\\r\\n    <td style=\\\"background-color: #0074D9; padding: 10px;font-size: 18px; text-align: left;color:black;\\\"><strong>Audit</strong></td>\\r\\n    <td style=\\\"background-color: darkRed; padding: 10px;font-size: 18px; text-align: left;\\\"><strong>Blocked</strong></td>\\r\\n  </tr>\\r\\n</table>\\r\\n\",\"style\":\"info\"},\"customWidth\":\"0\",\"name\":\"File Summary by Process-Example\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Extract Publisher information from EventID 3089\\r\\nlet publisher = Event\\r\\n    | where EventID == 3089 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PublisherName = extract('<Data Name=\\\"PublisherName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | where isnotempty(PublisherName)\\r\\n    | extend IssuerName = extract('<Data Name=\\\"IssuerName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PublisherTBSHash = extract('<Data Name=\\\"PublisherTBSHash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend IssuerTBSHash = extract('<Data Name=\\\"IssuerTBSHash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | summarize arg_max(TimeGenerated, *) by Hash\\r\\n    | project TimeGenerated, Hash, PublisherName, IssuerName, _ResourceId, PublisherTBSHash, IssuerTBSHash;\\r\\n\\r\\n// Extract File Events from EventID 3077\\r\\nlet clickevent = Event\\r\\n    | where EventID == 3077 or EventID == 3076\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | where EventID in ({Action})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>', 1, EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend FileName = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend ProcessName = tostring(parse_path(ProcessName).Filename)\\r\\n    | extend FileNameShort = tostring(parse_path(FileName).Filename)\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PolicyName = extract('<Data Name=\\\"PolicyName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, SHA256_Hash, FileName, ProcessName, PolicyName, EventID, FileNameShort;\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha256 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, FileName, ProcessName, PolicyName, EventID, FileNameShort, PublisherName, PublisherTBSHash, IssuerTBSHash, Hash = SHA256_Hash;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha1 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, FileName, ProcessName, PolicyName, EventID, FileNameShort, PublisherName, PublisherTBSHash, IssuerTBSHash, Hash = SHA1_Hash;\\r\\n\\r\\n// Combine results and ensure values are shown from either SHA1 or SHA256\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| summarize UniqueEvents = dcount(TimeGenerated)\\r\\n            by EventID, ProcessName, FileNameShort, FileName, PublisherName\\r\\n| sort by UniqueEvents\\r\\n| where isnotempty(PublisherName)\\r\\n| top {FileSummarybyProcess} by UniqueEvents\\r\\n\\r\\n\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"FileNameShort\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"File Name\"}},\"subtitleContent\":{\"columnMatch\":\"ProcessName\",\"tooltipFormat\":{\"tooltip\":\"Process Name\"}},\"leftContent\":{\"columnMatch\":\"UniqueEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"tooltipFormat\":{\"tooltip\":\"Count of Uniqe Events Per file\"}},\"rightContent\":{\"columnMatch\":\"EventID\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"3077\",\"representation\":\"red\",\"text\":\"Blocked\",\"tooltipFormat\":{\"tooltip\":\"Event ID 3077\"}},{\"operator\":\"==\",\"thresholdValue\":\"3076\",\"representation\":\"blue\",\"text\":\"Audit\",\"tooltipFormat\":{\"tooltip\":\"Event ID 3076\"}},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true},\"chartSettings\":{\"createOtherGroup\":20,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"conditionalVisibility\":{\"parameterName\":\"FileSummarybyProcess\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"File Summary by Process\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"FileSummarybyProcess\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"File Summary by Process-Group\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Extract Publisher information from EventID 3089\\r\\nlet publisher = Event\\r\\n    | where EventID == 3089 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PublisherName = extract('<Data Name=\\\"PublisherName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | where isnotempty(PublisherName)\\r\\n    | extend IssuerName = extract('<Data Name=\\\"IssuerName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PublisherTBSHash = extract('<Data Name=\\\"PublisherTBSHash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend IssuerTBSHash = extract('<Data Name=\\\"IssuerTBSHash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | summarize arg_max(TimeGenerated, *) by Hash\\r\\n    | summarize by Hash, PublisherName, IssuerName, _ResourceId, PublisherTBSHash, IssuerTBSHash;\\r\\n\\r\\n// Extract File Events from EventID 3077\\r\\nlet clickevent = Event\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | where EventID in ({Action})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>', 1, EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend FileName = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend ProcessName = tostring(parse_path(ProcessName).Filename)\\r\\n    | extend FileNameShort = tostring(parse_path(FileName).Filename)\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>', 1, EventData)\\r\\n    | extend PolicyName = extract('<Data Name=\\\"PolicyName\\\">(.*?)</Data>', 1, EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, SHA256_Hash, FileName, ProcessName, PolicyName, EventID, FileNameShort;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha256 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, FileName, ProcessName, PolicyName, EventID, FileNameShort, PublisherName, PublisherTBSHash, IssuerTBSHash, Hash = SHA256_Hash;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind = leftouter (\\r\\n        publisher\\r\\n        | extend joinvalue_sha1 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, FileName, ProcessName, PolicyName, EventID, FileNameShort, PublisherName, PublisherTBSHash, IssuerTBSHash, Hash = SHA1_Hash;\\r\\n\\r\\n// Combine results and ensure values are shown from either SHA1 or SHA256\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| summarize UniqueEvents = dcount(TimeGenerated)\\r\\n            by EventID, ProcessName, FileNameShort, FileName, PolicyName, PublisherName, PublisherTBSHash, IssuerTBSHash, Hash\\r\\n| sort by UniqueEvents\\r\\n| where isnotempty(PublisherName)\\r\\n| top {FileSummarybyProcess} by UniqueEvents\\r\\n| project EventID, UniqueEvents, ProcessName, FileNameShort, FileName, PolicyName, PublisherName;\\r\\n\",\"size\":3,\"title\":\"Distinct by unique File\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"3077\",\"representation\":\"Sev0\",\"text\":\"Blocked\"},{\"operator\":\"==\",\"thresholdValue\":\"3076\",\"representation\":\"Sev3\",\"text\":\"Audit\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Line\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FileNameShort\",\"formatter\":5},{\"columnMatch\":\"ProcessName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31ch\"}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"EventID\",\"FileNameShort\"],\"expandTopLevel\":false,\"finalBy\":\"EventID\"}},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ProcessName\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"FileName\"},\"leftContent\":{\"columnMatch\":\"UniqueEvents\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"rightContent\":{\"columnMatch\":\"PublisherName\"},\"secondaryContent\":{\"columnMatch\":\"EventID\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"3077\",\"representation\":\"red\",\"text\":\"Blocked\"},{\"operator\":\"==\",\"thresholdValue\":\"3076\",\"representation\":\"green\",\"text\":\"Audit\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":20,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"conditionalVisibility\":{\"parameterName\":\"distinctbyuniquefile\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"Distinct by unique File\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}]},\"name\":\"Show additonal Information\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"File Events by Time with Filter option\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"17114064-e6f5-4afb-b577-5603861042a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AffectedFileFilter\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend AffectedFile = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by AffectedFile\\r\\n    | extend AffectedFile2 = replace_string(AffectedFile,\\\"\\\\\\\\\\\",\\\"\\\\\\\\\\\\\\\\\\\")\\r\\n    | extend Display = AffectedFile\\r\\n      | project-away AffectedFile\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Affected File\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"ProcessNameFilter\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by ProcessName\\r\\n    | extend ProcessName2 = replace_string(ProcessName,\\\"\\\\\\\\\\\",\\\"\\\\\\\\\\\\\\\\\\\")\\r\\n    | extend Display = ProcessName\\r\\n    | project-away ProcessName\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"c4d143f8-633e-4aa8-8a34-66ba156ffb32\",\"label\":\"Process Name\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNameFilter\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | summarize by UserName\\r\\n    | extend Display = UserName\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"bd174fa2-72c6-40eb-b023-cb087cfdcaf6\",\"label\":\"User Name\",\"value\":[\"value::all\"]},{\"id\":\"6269ef33-aac0-480f-8d5e-b74120c05278\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PublisherNameFilter\",\"label\":\"Publisher\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"// Extract Publisher information from EventID 3089\\r\\nlet publisher = Event\\r\\n    | where EventID == 3089 \\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PublisherName = extract('<Data Name=\\\"PublisherName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by Hash, PublisherName;\\r\\n\\r\\n// Extract Click Events from EventID 3076 and 3077\\r\\nlet clickevent = Event\\r\\n    | where EventID in (3076, 3077) \\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, EventID, SHA256_Hash;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind=inner (\\r\\n        publisher\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, PublisherName, EventID, Hash = SHA1_Hash;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind=inner (\\r\\n        publisher\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, PublisherName, EventID, Hash = SHA256_Hash;\\r\\n\\r\\n// Combine results and remove duplicates\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| summarize count() by PublisherName\\r\\n| extend Display = strcat(coalesce(PublisherName, \\\"<empty>\\\"), \\\", [\\\", count_ ,\\\"]\\\")\\r\\n| sort by count_\\r\\n| project-away count_;\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"5832ab11-8517-4873-8251-828b3856a307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IssuerNameFilter\",\"label\":\"Issuer\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"// Extract Publisher information from EventID 3089\\r\\nlet Issuer = Event\\r\\n    | where EventID == 3089 \\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend IssuerName = extract('<Data Name=\\\"IssuerName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by Hash, IssuerName;\\r\\n\\r\\n// Extract Click Events from EventID 3076 and 3077\\r\\nlet clickevent = Event\\r\\n    | where EventID in (3076, 3077) \\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | project Computer, TimeGenerated, SHA1_Hash, EventID, SHA256_Hash;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet clickevent_SHA1 = clickevent\\r\\n    | join kind=inner (\\r\\n        Issuer\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, IssuerName, EventID, Hash = SHA1_Hash;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet clickevent_SHA256 = clickevent\\r\\n    | join kind=inner (\\r\\n        Issuer\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project Computer, TimeGenerated, IssuerName, EventID, Hash = SHA256_Hash;\\r\\n\\r\\n// Combine results and remove duplicates\\r\\nclickevent_SHA256\\r\\n| union clickevent_SHA1\\r\\n| summarize count() by IssuerName\\r\\n| extend Display = strcat(coalesce(IssuerName, \\\"<empty>\\\"), \\\", [\\\", count_ ,\\\"]\\\")\\r\\n| sort by count_\\r\\n| project-away count_;\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"FileParameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Extract Publisher information from EventID 3089\\r\\nlet Publisher = Event\\r\\n    | where EventID == 3089 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend Hash = extract('<Data Name=\\\"Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PublisherName = extract('<Data Name=\\\"PublisherName\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PublisherName in ({PublisherNameFilter})\\r\\n    | extend IssuerName = extract('<Data Name=\\\"IssuerName\\\">(.*?)</Data>',1,EventData)\\r\\n    | where IssuerName in ({IssuerNameFilter})\\r\\n    | extend NotValidBefore = extract('<Data Name=\\\"NotValidBefore\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend NotValidAfter = extract('<Data Name=\\\"NotValidAfter\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PublisherTBSHash = extract('<Data Name=\\\"PublisherTBSHash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend IssuerTBSHash = extract('<Data Name=\\\"IssuerTBSHash\\\">(.*?)</Data>',1,EventData)\\r\\n    //| summarize by Hash, PublisherName, IssuerName, NotValidAfter, NotValidBefore, _ResourceId, PublisherTBSHash, IssuerTBSHash;\\r\\n    //| summarize arg_max(TimeGenerated, *) by Hash, PublisherName, IssuerName, NotValidAfter, NotValidBefore, _ResourceId, PublisherTBSHash, IssuerTBSHash;\\r\\n    | summarize arg_max(TimeGenerated, *) by Hash\\r\\n    | project TimeGenerated, Hash, PublisherName, IssuerName, NotValidBefore, NotValidAfter, _ResourceId, PublisherTBSHash, IssuerTBSHash;\\r\\n\\r\\n// Extract File Events from EventID 3076 and 3077\\r\\nlet FileEvents = Event\\r\\n    | where EventID in (3076, 3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | where UserName in ({UserNameFilter})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend AffectedFile = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | where AffectedFile in ({AffectedFileFilter})\\r\\n    | extend OriginalFileName = extract('<Data Name=\\\"OriginalFileName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend InternalName = extract('<Data Name=\\\"InternalName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend FileDescription = extract('<Data Name=\\\"FileDescription\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend ProductName = extract('<Data Name=\\\"ProductName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend FileVersion = extract('<Data Name=\\\"FileVersion\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | where ProcessName in ({ProcessNameFilter})\\r\\n    | extend PolicyName = extract('<Data Name=\\\"PolicyName\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Status = extract('<Data Name=\\\"Status\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA1_Hash = extract('<Data Name=\\\"SHA1 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend SHA256_Hash = extract('<Data Name=\\\"SHA256 Hash\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend PolicyHash = extract('<Data Name=\\\"PolicyHash\\\">(.*?)</Data>',1,EventData)\\r\\n    | project TimeGenerated, Computer = iff(isempty(_ResourceId),Computer,_ResourceId), UserName, Action = EventID, Details = RenderedDescription, AffectedFile, \\r\\n    ProcessName = replace_regex(ProcessName, \\\"(.*)HarddiskVolume0-9W[iI][nN][dD][oO][wW][sS]\\\", \\\".\\\"), \\r\\n    Status, PolicyID, PolicyGUID, PolicyHash, SHA1_Hash, FileVersion, PolicyName, SHA256_Hash;\\r\\n\\r\\n// Join on SHA1_Hash\\r\\nlet FileEvents_SHA1 = FileEvents\\r\\n    | join kind = inner (\\r\\n        Publisher\\r\\n        | extend joinvalue_sha1 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA1_Hash == $right.Hash\\r\\n    | project TimeGenerated, Computer, UserName, Action, PublisherName, Details, AffectedFile, ProcessName, Status, PolicyID, PolicyGUID, PolicyHash, Hash = SHA1_Hash, FileVersion, PolicyName ,PublisherTBSHash;\\r\\n\\r\\n// Join on SHA256_Hash\\r\\nlet FileEvents_SHA256 = FileEvents\\r\\n    | join kind = inner (\\r\\n        Publisher\\r\\n        | extend joinvalue_sha256 = strcat(Hash, _ResourceId)\\r\\n    ) on $left.SHA256_Hash == $right.Hash\\r\\n    | project TimeGenerated, Computer , UserName, Action, PublisherName, Details, AffectedFile, ProcessName, Status, PolicyID, PolicyGUID, PolicyHash, FileVersion, PolicyName, Hash = SHA256_Hash ,PublisherTBSHash;\\r\\n\\r\\n// Combine results and remove duplicates\\r\\nFileEvents_SHA256\\r\\n| union FileEvents_SHA1\\r\\n//Testing Different Results between PublisherTBSHash or PublisherName to disply unknown publishers \\r\\n//| where isnotempty(PublisherTBSHash)\\r\\n| where isnotempty(PublisherName)\\r\\n| sort by TimeGenerated\\r\\n| project TimeGenerated, Computer, UserName, Action, PublisherName, Details, AffectedFile, ProcessName, Status, PolicyID, PolicyGUID, PolicyHash, FileVersion, PolicyName, Hash\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"26ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"UserName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"3076\",\"representation\":\"Log\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3077\",\"representation\":\"Lock\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3099\",\"representation\":\"Tools\",\"text\":\"{0}{1}\"},{\"representation\":\"disabled\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"15ch\"}},{\"columnMatch\":\"PublisherName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"duplicated\",\"representation\":\"up\",\"text\":\"{1}{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"empty\",\"representation\":\"down\",\"text\":\"{1}{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"single\",\"representation\":\"right\",\"text\":\"{1}{0}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}\"}]}},{\"columnMatch\":\"Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Click\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"15ch\"}},{\"columnMatch\":\"ProcessName\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"22ch\"}},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"PolicyID\",\"formatter\":5},{\"columnMatch\":\"PolicyGUID\",\"formatter\":5},{\"columnMatch\":\"PolicyHash\",\"formatter\":5},{\"columnMatch\":\"SHA1_Hash\",\"formatter\":5},{\"columnMatch\":\"OriginalFileName\",\"formatter\":5},{\"columnMatch\":\"InternalName\",\"formatter\":5},{\"columnMatch\":\"FileDescription\",\"formatter\":5},{\"columnMatch\":\"ProductName\",\"formatter\":5},{\"columnMatch\":\"FileVersion\",\"formatter\":5},{\"columnMatch\":\"PolicyName\",\"formatter\":5},{\"columnMatch\":\"SHA256_Hash\",\"formatter\":5},{\"columnMatch\":\"publishervalue\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"5ch\"}},{\"columnMatch\":\"IssuerName\",\"formatter\":5},{\"columnMatch\":\"NotValidAfter\",\"formatter\":5},{\"columnMatch\":\"NotValidBefore\",\"formatter\":5},{\"columnMatch\":\"PublisherTBSHash\",\"formatter\":5},{\"columnMatch\":\"IssuerTBSHash\",\"formatter\":5},{\"columnMatch\":\"parameter_export\",\"formatter\":5},{\"columnMatch\":\"Options\",\"formatter\":5},{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Click\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"15ch\"}},{\"columnMatch\":\"RenderedDescription\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":10000,\"filter\":true},\"sortBy\":[]},\"name\":\"FileEventsRaw\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}]},\"name\":\"File Events Group\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"FileEvents\"},\"name\":\"FileEvents\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Policy Events\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4de5626e-221a-4b15-b8fb-1389a76d2711\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyGUID\",\"label\":\"Policy GUID\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where EventID in (3099) \\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| distinct PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyGUID != \\\"{d2bda982-ccf6-4344-ac5b-0b44427b6816}\\\"\\r\\n| sort by PolicyGUID asc  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"d381479f-7783-4962-a211-a61195794558\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where EventID in (3099) \\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| distinct PolicyName = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyName != \\\"Microsoft Windows Driver Policy\\\"\\r\\n| sort by PolicyName asc  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"Computer Filter - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PolicyEvents = Event\\r\\n    | where EventID == 3099 \\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend parsed = parse_xml(EventData)\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyNameBuffer = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyNameBuffer in ({PolicyName})\\r\\n    | extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyGUID in ({PolicyGUID})\\r\\n    | where PolicyNameBuffer != \\\"Microsoft Windows Driver Policy\\\";\\r\\nPolicyEvents\\r\\n| union (\\r\\n    range x from 1 to 1 step 1\\r\\n    | mv-expand TimeGenerated=range(now(-7d),now(),5m) to typeof(datetime )\\r\\n    | extend Audit=0\\r\\n    | extend Block=0\\r\\n)\\r\\n| summarize PolicyLoad=countif(EventID==3099) by bin(TimeGenerated,5m)\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Time Brush Policy Events, last 7 Days (overrides Time Range)\",\"timeContext\":{\"durationMs\":604800000},\"timeBrushParameterName\":\"TimeRange\",\"timeBrushExportOnlyWhenBrushed\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"redBright\"},{\"seriesName\":\"Audit\",\"color\":\"green\"}]}},\"name\":\"TimeBrush_PolicyInsights\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let events = Event\\r\\n| where EventID == 3099\\r\\n| where _ResourceId in ({Computer})\\r\\n| extend parsed = parse_xml(EventData)\\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| extend PolicyNameBuffer = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyNameBuffer in ({PolicyName})\\r\\n| extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyGUID in ({PolicyGUID})\\r\\n| where PolicyNameBuffer != \\\"Microsoft Windows Driver Policy\\\";\\r\\nevents\\r\\n| make-series EventTrend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by _ResourceId\\r\\n| join kind=fullouter (\\r\\n  events\\r\\n  | summarize Events = count() by _ResourceId\\r\\n  ) on _ResourceId\\r\\n| project-away _ResourceId1, TimeGenerated\\r\\n| project Computer = _ResourceId, Events, EventTrend\\r\\n| sort by Events\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Policy Events by Computer\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"Events\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"EventTrend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"_ResourceId1\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"_ResourceId\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"BlockedTrend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"AuditTrend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"sortBy\":[],\"chartSettings\":{\"xAxis\":\"Computer\",\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"redBright\"},{\"seriesName\":\"Audit\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"policyEvents-by-computer\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Show additonal Information\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b62b8c3-8fa6-402a-8303-856c6a896234\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"activepolicy\",\"label\":\"Active Policy\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"modifiedpolicy\",\"label\":\"Modified Policies\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": 99, \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": 1, \\\"label\\\": \\\"New/Modified\\\" },\\r\\n    { \\\"value\\\": 2, \\\"label\\\": \\\"All\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"ba6e889e-0c0e-49aa-8d36-88f41652edac\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"modifiypolicyParameter\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where EventID == 3099\\r\\n| where _ResourceId in ({Computer})\\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| extend PolicyNameBuffer = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyNameBuffer in ({PolicyName})\\r\\n| where PolicyNameBuffer != \\\"Microsoft Windows Driver Policy\\\"\\r\\n| extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyGUID in ({PolicyGUID})\\r\\n| extend Options = extract('<Data Name=\\\"Options\\\">(.*?)</Data>',1,EventData)\\r\\n| extend Option16 = iff(binary_and(toint(Options), 0x10000) > 0, \\\"Audit\\\", \\\"Enforced\\\")\\r\\n| extend PolicyId = extract('<Data Name=\\\"PolicyIdBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| project TimeGenerated, Computer, Policy = PolicyNameBuffer,Option16, PolicyGUID, PolicyId\\r\\n| summarize arg_max(TimeGenerated, *) by Computer, Policy, PolicyGUID\\r\\n| sort by TimeGenerated\\r\\n| project ['Latest Record']=TimeGenerated, Computer, Policy, Mode=Option16, PolicyGUID = substring(PolicyGUID, 1,strlen(PolicyGUID)-2) , PolicyId\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Active Policy\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Mode\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Audit\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Enforced\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}}],\"rowLimit\":1000,\"sortBy\":[{\"itemKey\":\"Latest Record\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Latest Record\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Process\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"activepolicy\",\"comparison\":\"isNotEqualTo\",\"value\":\"No\"},\"name\":\"Active Policy\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where EventID == 3099\\r\\n| where _ResourceId in ({Computer})\\r\\n| extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n| extend PolicyNameBuffer = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyNameBuffer in ({PolicyName})\\r\\n| where PolicyNameBuffer != \\\"Microsoft Windows Driver Policy\\\"\\r\\n| extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n| where PolicyGUID in ({PolicyGUID})\\r\\n| extend Options = extract('<Data Name=\\\"Options\\\">(.*?)</Data>',1,EventData)\\r\\n| extend PolicyId = extract('<Data Name=\\\"PolicyIdBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n| project Computer, PolicyNameBuffer, TimeGenerated, Options, PolicyGUID, PolicyId\\r\\n| order by Computer, PolicyNameBuffer, TimeGenerated asc\\r\\n| extend prev_Options = prev(Options)\\r\\n| extend prev_Computer = prev(Computer)\\r\\n| extend prev_Policy = prev(PolicyNameBuffer)\\r\\n| extend OptionState = case(\\r\\n    isempty(prev_Options), \\\"First Entry\\\",\\r\\n    Computer != prev_Computer, \\\"First Entry\\\",\\r\\n    PolicyNameBuffer != prev_Policy, \\\"First Entry\\\",\\r\\n    Options == prev_Options, \\\"Not Modified\\\",\\r\\n    Options != prev_Options, \\\"Modified\\\",\\r\\n    \\\"Unknown\\\")\\r\\n| extend showonfilter=iff(OptionState==\\\"Modified\\\" or OptionState==\\\"First Entry\\\",1,2)\\r\\n| where showonfilter <= {modifiedpolicy}\\r\\n| extend Option16 = iff(binary_and(toint(Options), 0x10000) > 0, \\\"Audit\\\", \\\"Enforced\\\")\\r\\n| project TimeGenerated, Computer, Policy = PolicyNameBuffer, OptionState,showonfilter, Mode=Option16,PolicyGUID = substring(PolicyGUID, 1,strlen(PolicyGUID)-2), PolicyId\\r\\n| sort by TimeGenerated\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":2,\"title\":\"Modified Policy\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OptionState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Not Modified\",\"representation\":\"amethyst\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Modified\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"First Entry\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"showonfilter\",\"formatter\":5},{\"columnMatch\":\"Mode\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Audit\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Enforced\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Process\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"modifiedpolicy\",\"comparison\":\"isNotEqualTo\",\"value\":\"99\"},\"name\":\"Modified Policy\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}]},\"name\":\"Show additonal Information PolicyEvents\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc4cb9c6-c634-44a5-8ce0-dec28453d071\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"options\",\"type\":10,\"description\":\"set parameter for policy option details\",\"isRequired\":true,\"isHiddenWhenLocked\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"empty\\\", \\\"label\\\": \\\"empty\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PolicyEvents = Event\\r\\n    | where EventID == 3099\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend parsed = parse_xml(EventData)\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyNameBuffer = extract('<Data Name=\\\"PolicyNameBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyNameBuffer in ({PolicyName})\\r\\n    | where PolicyNameBuffer != \\\"Microsoft Windows Driver Policy\\\"\\r\\n    | extend PolicyGUID = extract('<Data Name=\\\"PolicyGUID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyGUID in ({PolicyGUID})\\r\\n    | extend Options = extract('<Data Name=\\\"Options\\\">(.*?)</Data>',1,EventData)\\r\\n    | extend Option16 = iff(binary_and(toint(Options), 0x10000) > 0, \\\"Audit\\\", \\\"Enforced\\\")\\r\\n    | extend PolicyId = extract('<Data Name=\\\"PolicyIdBuffer\\\">(.*?)</Data>',1,EventData)\\r\\n    | project TimeGenerated, Details=RenderedDescription, UserName, Computer = iff(isempty(_ResourceId),Computer,_ResourceId), Policy = PolicyNameBuffer, Mode=Option16, Options, PolicyGUID = substring(PolicyGUID, 1,strlen(PolicyGUID)-2), PolicyId ;\\r\\nPolicyEvents\\r\\n| sort by TimeGenerated\\r\\n| project-reorder TimeGenerated, Computer, UserName\",\"size\":2,\"title\":\"Policy Events by Time\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"Options\",\"parameterName\":\"options\",\"parameterType\":1},{\"fieldName\":\"optionsvisible\",\"parameterName\":\"optionsvisible\",\"parameterType\":1}],\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"UserName\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Click\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"15ch\"}},{\"columnMatch\":\"Mode\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Audit\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Enforced\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Options\",\"formatter\":5},{\"columnMatch\":\"optionsvisible\",\"formatter\":5},{\"columnMatch\":\"ProcessName\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"22ch\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_link_Computer_1\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_link_Computer_1\",\"sortOrder\":1}]},\"name\":\"PolicyEventsbyTime\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let hexValue = \\\"{options}\\\";\\r\\nlet intValue = toint(hexValue);\\r\\nlet binaryValue= strcat(\\r\\n    iff(binary_and(intValue, 0x80000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x40000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x20000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x10000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x8000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x4000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x2000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x1000000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x800000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x400000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x200000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x100000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x80000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x40000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x20000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x10000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x8000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x4000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x2000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x1000) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x800) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x400) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x200) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x100) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x80) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x40) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x20) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x10) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x8) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x4) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x2) > 0, \\\"1\\\", \\\"0\\\"),\\r\\n    iff(binary_and(intValue, 0x1) > 0, \\\"1\\\", \\\"0\\\")\\r\\n);\\r\\nlet RbinaryValue = reverse(binaryValue);\\r\\ndatatable (BitAddress: int, PolicyRuleOption: string)\\r\\n[\\r\\n     0, \\\"NotUsed\\\",\\r\\n     1, \\\"NotUsed\\\",\\r\\n     2, \\\"Enabled:UMCI\\\",\\r\\n     3, \\\"Enabled:Boot Menu Protection\\\",\\r\\n     4, \\\"Enabled:Intelligent Security Graph Authorization\\\",\\r\\n     5, \\\"Enabled:Invalidate EAs on Reboot\\\",\\r\\n     6, \\\"NotUsed\\\",\\r\\n     7, \\\"Required:WHQL\\\",\\r\\n     8, \\\"NotUsed\\\",\\r\\n     9, \\\"NotUsed\\\",\\r\\n     10, \\\"Enabled:Allow Supplemental Policies\\\",\\r\\n     11, \\\"Disabled:Runtime FilePath Rule Protection\\\",\\r\\n     13, \\\"Enabled:Revoked Expired As Unsigned\\\",\\r\\n     14, \\\"NotUsed\\\",\\r\\n     15, \\\"NotUsed\\\",\\r\\n     16, \\\"Enabled:Audit Mode (Default)\\\",\\r\\n     17, \\\"Disabled:Flight Signing\\\",\\r\\n     18, \\\"Enabled:Inherit Default Policy\\\",\\r\\n     19, \\\"Enabled:Unsigned System Integrity Policy (Default)\\\",\\r\\n     20, \\\"Enabled:Dynamic Code Security\\\",\\r\\n     21, \\\"Required:EV Signers\\\",\\r\\n     22, \\\"Enabled:Boot Audit on Failure\\\",\\r\\n     23, \\\"Enabled:Advanced Boot Options Menu\\\",\\r\\n     24, \\\"Disabled:Script Enforcement\\\",\\r\\n     25, \\\"Required:Enforce Store Applications\\\",\\r\\n     26, \\\"NotUsed\\\",\\r\\n     27, \\\"Enabled:Managed Installer\\\",\\r\\n     28, \\\"Enabled:Update Policy No Reboot\\\"\\r\\n]\\r\\n| extend Results = iif(substring(RbinaryValue, BitAddress ,1) == \\\"1\\\", \\\"Yes\\\", \\\"No\\\")\\r\\n| where Results == \\\"Yes\\\"\\r\\n\",\"size\":3,\"title\":\"Policy Options Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"PolicyRuleOption\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Enabled:Audit Mode (Default)\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Value\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":5000,\"filter\":true},\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"AzureResource\",\"locInfoColumn\":\"Computer\"}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"options\",\"comparison\":\"isNotEqualTo\",\"value\":\"empty\"},\"name\":\"PolicyOptionsDetails\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"### Please select a line to get policy otions\\r\\n\\tif you see this box you have not selected one of the policy event above\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"options\",\"comparison\":\"isEqualTo\",\"value\":\"empty\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"PolicyInsights\"},\"name\":\"PolicyEvents\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Event and Policy Graph\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4bbba18a-7884-4d8d-b397-4fe1af24449e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyID\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n| where EventID in (3076,3077) \\r\\n| distinct PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n| sort by PolicyID asc\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"d544011e-5853-4dcc-adfc-f45e8e5406b1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\": \\\"3076,3077\\\", \\\"label\\\": \\\"All\\\", \\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"3076\\\", \\\"label\\\": \\\"Audit\\\" },\\r\\n    { \\\"value\\\": \\\"3077\\\", \\\"label\\\": \\\"Block\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"FileEventsFilterGraph\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68b80da4-2f9b-4983-a197-2ae50b71a988\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AffectedFileFilter\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend AffectedFile = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by AffectedFile\\r\\n    | extend AffectedFile2 = replace_string(AffectedFile,\\\"\\\\\\\\\\\",\\\"\\\\\\\\\\\\\\\\\\\")\\r\\n    | extend Display = AffectedFile\\r\\n      | project-away AffectedFile\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Affected File\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"ProcessNameFilter\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by ProcessName\\r\\n    | extend ProcessName2 = replace_string(ProcessName,\\\"\\\\\\\\\\\",\\\"\\\\\\\\\\\\\\\\\\\")\\r\\n    | extend Display = ProcessName\\r\\n    | project-away ProcessName\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"67a76f99-4d5a-42d8-8516-97621c5963c5\",\"label\":\"Process Name\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNameFilter\",\"label\":\"User Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Event\\r\\n    | where EventID in (3076,3077) \\r\\n    | where EventID in ({Action})\\r\\n    | summarize by UserName\\r\\n    | extend Display = UserName\\r\\n  \",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"],\"id\":\"5267b24b-5cac-4eb9-b181-0f6ab7f63511\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"FileParameterGraph\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\n\\r\\nlet data = Event\\r\\n    | where EventID in (3076,3077)\\r\\n    | where EventID in ({Action})\\r\\n    | where _ResourceId in ({Computer}) \\r\\n    | where UserName in ({UserNameFilter})\\r\\n    | extend xml_eventdata = parse_xml(EventData).DataItem.EventData.Data\\r\\n    | extend PolicyID = extract('<Data Name=\\\"PolicyID\\\">(.*?)</Data>',1,EventData)\\r\\n    | where PolicyID in ({PolicyID})\\r\\n    | extend AffectedFile = extract('<Data Name=\\\"File Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | where AffectedFile in ({AffectedFileFilter})\\r\\n    | extend ProcessName = extract('<Data Name=\\\"Process Name\\\">(.*?)</Data>',1,EventData)\\r\\n    | where ProcessName in ({ProcessNameFilter})\\r\\n    | extend OriginalFileName = extract('<Data Name=\\\"OriginalFileName\\\">(.*?)</Data>',1,EventData)\\r\\n    | summarize by UserName=tolower(UserName), Computer=tolower(Computer), ProcessName=replace_regex(ProcessName,\\\"(.*)HarddiskVolume[0-9](.*)W[iI][nN][dD][oO][wW][sS]\\\",\\\".\\\"), Action=iff(EventID==3076,\\\"Audit\\\",\\\"Block\\\"),OriginalFileName;\\r\\nlet links = data\\r\\n    | summarize edgesize=count() by Source=Computer, Target=Action, Kind=\\\"Computer -> Action\\\"\\r\\n    | union \\r\\n        (data \\r\\n            | summarize edgesize=count() by Source=Action, Target=ProcessName, Kind=\\\"Action -> ProcessName\\\"),\\r\\n        (data \\r\\n            | summarize edgesize=count() by Source=ProcessName, Target=OriginalFileName, Kind=\\\"ProcessName -> OriginalFileName\\\"),\\r\\n        (data\\r\\n            | summarize edgesize=count() by Source=UserName, Target=Computer, Kind=\\\"UserName -> Computer\\\");\\r\\nlet nodes = data\\r\\n    | summarize nodesize=count() by Id=Computer,Name=Computer, Kind=\\\"Computer\\\"\\r\\n    | union (\\r\\n        data\\r\\n            | summarize nodesize=count() by Id=ProcessName, Name=ProcessName, Kind=\\\"ProcessName\\\"),\\r\\n        (data \\r\\n            | summarize nodesize=count() by Id=Action, Name=Action, Kind=\\\"Action\\\"),\\r\\n        (data\\r\\n            | summarize nodesize=count() by Id=OriginalFileName, Name=OriginalFileName, Kind=\\\"OriginalFileName\\\"),\\r\\n        (data \\r\\n            | summarize nodesize=count() by Id=UserName, Name=UserName, Kind=\\\"UserName\\\");\\r\\nnodes\\r\\n| union links\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"graph\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"26ch\"}},{\"columnMatch\":\"Computer\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"UserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"RenderedDescription\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}]},\"sortBy\":[],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"PolicyNameBuffer\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"PolicyNameBuffer\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Name\",\"formatter\":1},\"bottomContent\":{\"columnMatch\":\"Kind\"},\"nodeIdField\":\"Id\",\"sourceIdField\":\"Source\",\"targetIdField\":\"Target\",\"graphOrientation\":2,\"showOrientationToggles\":true,\"edgeSize\":\"edgesize\",\"nodeSize\":{\"sizeField\":\"nodesize\",\"minSize\":50,\"maxSize\":200},\"staticNodeSize\":100,\"colorSettings\":{\"nodeColorField\":\"Kind\",\"type\":3,\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Computer\",\"representation\":\"green\"},{\"operator\":\"==\",\"thresholdValue\":\"Action\",\"representation\":\"purple\"},{\"operator\":\"==\",\"thresholdValue\":\"ProcessName\",\"representation\":\"lightBlue\"},{\"operator\":\"==\",\"thresholdValue\":\"OriginalFileName\",\"representation\":\"grayBlue\"},{\"operator\":\"==\",\"thresholdValue\":\"UserName\",\"representation\":\"turquoise\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\"}]},\"hivesMargin\":5,\"edgeColorSettings\":null},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 0 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"Graph\"},\"name\":\"Graph\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"5px\",\"showBorder\":true}}],\"isLocked\":false,\"fallbackResourceIds\":[\"Azure Monitor\"]}",
-        "version": "1.0",
-        "sourceId": "[parameters('workbookSourceId')]",
-        "category": "[parameters('workbookType')]"
-      }
-    }
-  ],
-  "outputs": {
-    "workbookId": {
-      "type": "string",
-      "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]"
-    }
-  },
-  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
-}