diff --git a/Logos/doppel.svg b/Logos/doppel.svg new file mode 100644 index 00000000000..7a3356f642d --- /dev/null +++ b/Logos/doppel.svg @@ -0,0 +1,667 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Sample Data/Doppel_Logs.json b/Sample Data/Doppel_Logs.json new file mode 100644 index 00000000000..7f67500758e --- /dev/null +++ b/Sample Data/Doppel_Logs.json @@ -0,0 +1,443 @@ +[ + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "doppel_review" + }, + "alert": { + "id": "MTN-2", + "doppel_link": "https://app.doppel.com/domains/MTN-2", + "created_at": "2024-08-30T22:59:02.14829", + "entity": "example1.com", + "queue_state": "doppel_review", + "entity_state": "active", + "severity": "medium", + "product": "domains", + "source": "ui_upload", + "notes": null, + "uploaded_by": "john@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "needs_confirmation" + }, + "alert": { + "id": "MTN-1", + "doppel_link": "https://app.doppel.com/domains/MTN-1", + "created_at": "2024-08-30T22:59:02.14829", + "entity": "test_1.com", + "queue_state": "needs_confirmation", + "entity_state": "active", + "severity": "high", + "product": "domains", + "source": "ui_upload", + "notes": null, + "uploaded_by": "abhishek@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "doppel_review" + }, + "alert": { + "id": "MTN-20", + "doppel_link": "https://app.doppel.com/crypto/MTN-20", + "created_at": "2024-09-06T06:30:45.11222", + "entity": "malicious_wallet_v3", + "queue_state": "doppel_review", + "entity_state": "active", + "severity": "high", + "product": "crypto", + "source": "api_detection", + "notes": null, + "uploaded_by": "isabella@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "no_action" + }, + "alert": { + "id": "MTN-19", + "doppel_link": "https://app.doppel.com/ecommerce/MTN-19", + "created_at": "2024-09-06T03:00:15.78332", + "entity": "fake_listing_v3", + "queue_state": "no_action", + "entity_state": "resolved", + "severity": "medium", + "product": "ecommerce", + "source": "user_report", + "notes": "Issue resolved, no further action", + "uploaded_by": "charlotte@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "monitoring" + }, + "alert": { + "id": "MTN-18", + "doppel_link": "https://app.doppel.com/mobile_apps/MTN-18", + "created_at": "2024-09-05T23:45:22.21211", + "entity": "suspicious_app_v3.apk", + "queue_state": "monitoring", + "entity_state": "active", + "severity": "low", + "product": "mobile_apps", + "source": "automated_scan", + "notes": null, + "uploaded_by": "jack@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T06:12:17.593210", + "updated_values": { + "queue_state": "taken_down" + }, + "alert": { + "id": "MTN-17", + "doppel_link": "https://app.doppel.com/social_media/MTN-17", + "created_at": "2024-09-05T22:30:22.34567", + "entity": "@fake_account_v2", + "queue_state": "taken_down", + "entity_state": "resolved", + "severity": "critical", + "product": "social_media", + "source": "user_report", + "notes": null, + "uploaded_by": "emma@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "actioned" + }, + "alert": { + "id": "MTN-16", + "doppel_link": "https://app.doppel.com/domains/MTN-16", + "created_at": "2024-09-05T20:30:54.11222", + "entity": "example3.com", + "queue_state": "actioned", + "entity_state": "active", + "severity": "high", + "product": "domains", + "source": "api_detection", + "notes": null, + "uploaded_by": "olivia@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "needs_confirmation" + }, + "alert": { + "id": "MTN-15", + "doppel_link": "https://app.doppel.com/paid_ads/MTN-15", + "created_at": "2024-09-05T18:45:23.98332", + "entity": "fraudulent_ad_v2", + "queue_state": "needs_confirmation", + "entity_state": "active", + "severity": "medium", + "product": "paid_ads", + "source": "user_report", + "notes": null, + "uploaded_by": "natalie@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "doppel_review" + }, + "alert": { + "id": "MTN-14", + "doppel_link": "https://app.doppel.com/email/MTN-14", + "created_at": "2024-09-05T17:00:11.59293", + "entity": "phishing_email_v2", + "queue_state": "doppel_review", + "entity_state": "active", + "severity": "critical", + "product": "email", + "source": "ui_upload", + "notes": null, + "uploaded_by": "james@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "actioned" + }, + "alert": { + "id": "MTN-13", + "doppel_link": "https://app.doppel.com/crypto/MTN-13", + "created_at": "2024-09-05T13:55:19.28432", + "entity": "phishing_wallet_v2", + "queue_state": "actioned", + "entity_state": "resolved", + "severity": "medium", + "product": "crypto", + "source": "user_report", + "notes": "No further action required", + "uploaded_by": "liam@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:55.302005", + "updated_values": { + "queue_state": "monitoring" + }, + "alert": { + "id": "MTN-12", + "doppel_link": "https://app.doppel.com/ecommerce/MTN-12", + "created_at": "2024-09-05T12:00:32.56432", + "entity": "fake_listing_v2", + "queue_state": "monitoring", + "entity_state": "active", + "severity": "low", + "product": "ecommerce", + "source": "api_detection", + "notes": null, + "uploaded_by": "lucas@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:45.234897", + "updated_values": { + "queue_state": "taken_down" + }, + "alert": { + "id": "MTN-11", + "doppel_link": "https://app.doppel.com/mobile_apps/MTN-11", + "created_at": "2024-09-05T09:55:21.45678", + "entity": "malicious_app_v2.apk", + "queue_state": "taken_down", + "entity_state": "resolved", + "severity": "high", + "product": "mobile_apps", + "source": "user_report", + "notes": null, + "uploaded_by": "jackson@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T01:42:59.207046", + "updated_values": { + "queue_state": "actioned" + }, + "alert": { + "id": "MTN-10", + "doppel_link": "https://app.doppel.com/social_media/MTN-10", + "created_at": "2024-09-04T23:12:45.98123", + "entity": "@fake_profile", + "queue_state": "actioned", + "entity_state": "active", + "severity": "critical", + "product": "social_media", + "source": "api_detection", + "notes": null, + "uploaded_by": "oliver@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T01:27:52.917046", + "updated_values": { + "queue_state": "needs_confirmation" + }, + "alert": { + "id": "MTN-9", + "doppel_link": "https://app.doppel.com/domains/MTN-9", + "created_at": "2024-09-04T18:45:32.31291", + "entity": "example2.com", + "queue_state": "needs_confirmation", + "entity_state": "active", + "severity": "low", + "product": "domains", + "source": "automated_scan", + "notes": null, + "uploaded_by": "emma@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:33:45.654322", + "updated_values": { + "queue_state": "doppel_review" + }, + "alert": { + "id": "MTN-8", + "doppel_link": "https://app.doppel.com/paid_ads/MTN-8", + "created_at": "2024-09-04T14:10:11.14829", + "entity": "fraudulent_ad", + "queue_state": "doppel_review", + "entity_state": "active", + "severity": "medium", + "product": "paid_ads", + "source": "user_report", + "notes": null, + "uploaded_by": "michael@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T01:22:18.176448", + "updated_values": { + "queue_state": "no_action" + }, + "alert": { + "id": "MTN-7", + "doppel_link": "https://app.doppel.com/email/MTN-7", + "created_at": "2024-09-02T16:00:29.91321", + "entity": "phishing_email", + "queue_state": "no_action", + "entity_state": "resolved", + "severity": "high", + "product": "email", + "source": "user_report", + "notes": "no_action after no further action", + "uploaded_by": "george@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T01:50:07.529871", + "updated_values": { + "queue_state": "monitoring" + }, + "alert": { + "id": "MTN-6", + "doppel_link": "https://app.doppel.com/crypto/MTN-6", + "created_at": "2024-09-02T09:30:45.78322", + "entity": "phishing_wallet_address", + "queue_state": "monitoring", + "entity_state": "active", + "severity": "medium", + "product": "crypto", + "source": "automated_scan", + "notes": null, + "uploaded_by": "sarah@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T05:42:11.345298", + "updated_values": { + "queue_state": "taken_down" + }, + "alert": { + "id": "MTN-5", + "doppel_link": "https://app.doppel.com/ecommerce/MTN-5", + "created_at": "2024-09-02T15:00:12.88493", + "entity": "fake_product_listing", + "queue_state": "taken_down", + "entity_state": "resolved", + "severity": "low", + "product": "ecommerce", + "source": "ui_upload", + "notes": null, + "uploaded_by": "jane@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:45.234897", + "updated_values": { + "queue_state": "actioned" + }, + "alert": { + "id": "MTN-4", + "doppel_link": "https://app.doppel.com/mobile_apps/MTN-4", + "created_at": "2024-09-01T08:00:55.67432", + "entity": "malicious_app.apk", + "queue_state": "actioned", + "entity_state": "active", + "severity": "critical", + "product": "mobile_apps", + "source": "api_detection", + "notes": "Detected in app store", + "uploaded_by": "mark@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:15:45.234897", + "updated_values": { + "queue_state": "needs_confirmation" + }, + "alert": { + "id": "MTN-3", + "doppel_link": "https://app.doppel.com/social_media/MTN-3", + "created_at": "2024-09-01T11:58:15.92311", + "entity": "@test_account", + "queue_state": "needs_confirmation", + "entity_state": "active", + "severity": "high", + "product": "social_media", + "source": "user_report", + "notes": null, + "uploaded_by": "alice@doppel.com", + "tags": [] + } + }, + { + "event_type": "alert_updated", + "timestamp": "2024-10-30T00:10:35.123987", + "updated_values": { + "queue_state": "internal_bad_match" + }, + "alert": { + "id": "MTN-3", + "doppel_link": "https://app.doppel.com/social_media/MTN-3", + "created_at": "2024-09-01T11:58:15.92311", + "entity": "@test_account", + "queue_state": "internal_bad_match", + "entity_state": "active", + "severity": "high", + "product": "social_media", + "source": "user_report", + "notes": null, + "uploaded_by": "alice@doppel.com", + "tags": [] + } + } +] \ No newline at end of file diff --git a/Solutions/Doppel/Data Connectors/Connector_Doppel.json b/Solutions/Doppel/Data Connectors/Connector_Doppel.json new file mode 100644 index 00000000000..a8329a45293 --- /dev/null +++ b/Solutions/Doppel/Data Connectors/Connector_Doppel.json @@ -0,0 +1,103 @@ +{ + "title": "Doppel Data Connector", + "publisher": "Microsoft", + "descriptionMarkdown": "The data connector is built on Microsoft Sentinel for Doppel events and alerts and supports DCR-based [ingestion time transformations] that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "[variables('_logAnalyticsTableId1')]", + "graphQueries": [ + { + "metricName": "Events received", + "legend": "Data connector events", + "baseQuery": "DoppelTable_CL" + } + ], + "sampleQueries": [ + { + "description": "All event logs", + "query": "DoppelTable_CL | take 1" + } + ], + "dataTypes": [ + { + "name": "DoppelTable_CL", + "lastDataReceivedQuery": "DoppelTable_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "DoppelTable_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required on the Log Analytics Workspace to create DCE, DCR and Log Analytics Tables", + "providerDisplayName": "Log Analytics Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra Tenant ID, Client ID and Client Secret", + "description": "Microsoft Entra ID requires a Client ID and Client Secret to authenticate your application. Additionally, Global Admin/Owner level access is required to assign the Entra-registered application a Resource Group Monitoring Metrics Publisher role." + }, + { + "name": "Requires Workspace ID, DCE-URI, DCR-ID", + "description": "You will need to get the Log Analytics Workspace ID, DCE Logs Ingestion URI and DCR Immutable ID for the configuration." + } + ] + }, + "instructionSteps": [ + { + "title": "Configure Doppel Vision Webhook", + "description": "Configure the Webhook in Doppel Vision and Endpoint with permissions in Microsoft Sentinel to send data.", + "instructions": [ + { + "type": "InstructionStepsGroup", + "parameters": { + "enable": true, + "userRequestPlaceHolder": "", + "instructionSteps": [ + { + "title": "Register the Application in Microsoft Entra ID", + "description": "1. **Open the [Microsoft Entra ID page](https://entra.microsoft.com/)**:\n - Click the provided link to open the **Microsoft Entra ID** registration page in a new tab.\n - Ensure you are logged in with an account that has **Admin level** permissions.\n\n2. **Create a New Application**:\n - In the **Microsoft Entra ID portal**, select **App registrations** mentioned on the left-hand side tab.\n - Click on **+ New registration**.\n - Fill out the following fields:\n - **Name**: Enter a name for the app (e.g., “Doppel App”).\n - **Supported account types**: Choose **Accounts in this organizational directory only** (Default Directory only - Single tenant).\n - **Redirect URI**: Leave this blank unless required otherwise.\n - Click **Register** to create the application.\n\n3. **Copy Application and Tenant IDs**:\n - Once the app is registered, note the **Application (client) ID** and **Directory (tenant) ID** from the **Overview** page. You’ll need these for the integration.\n\n4. **Create a Client Secret**:\n - In the **Certificates & secrets** section, click **+ New client secret**.\n - Add a description (e.g., 'Doppel Secret') and set an expiration (e.g., 1 year).\n - Click **Add**.\n - **Copy the client secret value immediately**, as it will not be shown again." + }, + { + "title": "Assign the \"Monitoring Metrics Publisher\" Role to the App", + "description": "1. **Open the Resource Group in Azure Portal**:\n - Navigate to the **Resource Group** that contains the **Log Analytics Workspace** and **Data Collection Rules (DCRs)** where you want the app to push data.\n\n2. **Assign the Role**:\n - In the **Resource Group** menu, click on **Access control (IAM)** mentioned on the left-hand side tab ..\n - Click on **+ Add** and select **Add role assignment**.\n - In the **Role** dropdown, search for and select the **Monitoring Metrics Publisher** role.\n - Under **Assign access to**, choose **Azure AD user, group, or service principal**.\n - In the **Select** field, search for your registered app by **name** or **client ID**.\n - Click **Save** to assign the role to the application." + }, + { + "title": "Deploy the ARM Template", + "description": "1. **Retrieve the Workspace ID**:\n - After assigning the role, you will need the **Workspace ID**.\n - Navigate to the **Log Analytics Workspace** within the **Resource Group**.\n - In the **Overview** section, locate the **Workspace ID** field under **Workspace details**.\n - **Copy the Workspace ID** and keep it handy for the next steps.\n\n2. **Click the Deploy to Azure Button**:\n - [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanantm-metron%2FDeployToAzure%2Frefs%2Fheads%2Fmain%2FDeployToAzure.json).\n - This will take you directly to the Azure portal to start the deployment.\n\n3. **Review and Customize Parameters**:\n - On the custom deployment page, ensure you’re deploying to the correct **subscription** and **resource group**.\n - Fill in the parameters like **workspace name**, **workspace ID**, and **workspace location**.\n\n4. **Click Review + Create** and then **Create** to deploy the resources." + }, + { + "title": "Verify DCE, DCR, and Log Analytics Table Setup", + "description": "1. **Check the Data Collection Endpoint (DCE)**:\n - After deploying, go to **Azure Portal > Data Collection Endpoints**.\n - Verify that the **DoppelDCE** endpoint has been created successfully.\n - **Copy the DCE Logs Ingestion URI**, as you’ll need this for generating the webhook URL.\n\n2. **Confirm Data Collection Rule (DCR) Setup**:\n - Go to **Azure Portal > Data Collection Rules**.\n - Ensure the **DoppelDCR** rule is present.\n - **Copy the Immutable ID** of the DCR from the Overview page, as you’ll need it for the webhook URL.\n\n3. **Validate Log Analytics Table**:\n - Navigate to your **Log Analytics Workspace** (linked to Microsoft Sentinel).\n - Under the **Tables** section, verify that the **DoppelTable_CL** table has been created successfully and is ready to receive data." + }, + { + "title": "Generate the URL for Webhook Configuration", + "description": "1. **Construct the Webhook URL**:\n - Use the following URL template:\n ```\n https://{DCE-URI}/dataCollectionRules/{DCR-ID}/streams/Custom-DoppelTable_CL?api-version=2021-11-01-preview\n ```\n\n2. **Replace Placeholders**:\n - Replace `{DCE-URI}` with the copied **DCE Logs Ingestion URI** from the previous step.\n - Replace `{DCR-ID}` with the **Immutable ID** of **DoppelDCR**.\n\n3. **Copy the Completed URL**:\n - This URL is needed for configuring the webhook in Doppel." + }, + { + "title": "Generate OAuth 2.0 Access Token", + "description": "1. **Request an OAuth 2.0 Access Token**:\n - To authenticate with the API, first generate an OAuth 2.0 token by sending a POST request to the following URL:\n ```https: //login.microsoftonline.com/{Tenant ID}/oauth2/v2.0/token```\n - In the request body, include the following parameters:\n - **client_id**: The **Client ID** from your Microsoft Entra ID application.\n - **client_secret**: The **Client Secret** from your Microsoft Entra ID application.\n - **scope**: `https: //monitor.azure.com//.default`\n - **grant_type**: `client_credentials`\n - The response will contain an **access_token**. Copy this token, as you will need it for the next steps." + }, + { + "title": "Configure Log Ingestion in Doppel", + "description": "1. **Log in to the Doppel portal**.\n\n2. **Navigate to Integrations > Logs Ingestion**:\n - Go to **Integrations** in Doppel.\n - Select the **Logs Ingestion** integration option.\n\n3. **Enter the Required Microsoft Entra ID Credentials**:\n - In the **Log Ingestion Configuration** section, enter the following details:\n - **DCE (Data Collection Endpoint)**: The endpoint URL for Azure Log Ingestion.\n - **DCR (Data Collection Rule ID)**: The ID of your Azure Data Collection Rule (DCR).\n - **Tenant ID**: Your Microsoft Entra ID Tenant ID.\n - **Client ID**: Your Microsoft Entra ID Application (Client) ID.\n - **Client Secret**: The client secret associated with the Microsoft Entra ID application.\n\n4. **Save the Configuration**:\n - Once you’ve entered all the required information, click **Save** to store the configuration." + } + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Solutions/Doppel/Workbooks/Doppel.json b/Solutions/Doppel/Workbooks/Doppel.json new file mode 100644 index 00000000000..a6508735899 --- /dev/null +++ b/Solutions/Doppel/Workbooks/Doppel.json @@ -0,0 +1,113 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "Gain insights into alert statuses, severity, and product distribution for efficient alert management." + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL | summarize count() by 'Total Alerts'", + "size": 0, + "title": "Total Alerts", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL\n| where QueueState in ('doppel_review', 'needs_confirmation', 'actioned', 'monitoring')\n| summarize count() by 'Verified Alerts'\n", + "size": 0, + "title": "Verified Alerts", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL\n| where EntityState == 'resolved'\n| summarize count() by 'Resolved Alerts'\n", + "size": 0, + "title": "Resolved Alerts", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL\n| summarize TotalAlerts = count() by QueueState", + "size": 0, + "title": "Alerts by Status", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL\n| summarize Count = count() by Product", + "size": 0, + "title": "Alerts by Product", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DoppelTable_CL\n| summarize Count = count() by Product", + "size": 0, + "title": "Total Alerts by Product", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "name": "query - 6" + } + ], + "fallbackResourceIds": [ + "/subscriptions/9ecebafb-a962-4e36-9e10-0cfbbc18b52f/resourcegroups/doppel-project/providers/microsoft.operationalinsights/workspaces/doppel" + ], + "fromTemplateId": "sentinel-UserWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file