diff --git a/Solutions/IllumioSaaS/Package/3.4.0.zip b/Solutions/IllumioSaaS/Package/3.4.0.zip
new file mode 100644
index 0000000000..ef4d0ff965
Binary files /dev/null and b/Solutions/IllumioSaaS/Package/3.4.0.zip differ
diff --git a/Solutions/IllumioSaaS/Package/createUiDefinition.json b/Solutions/IllumioSaaS/Package/createUiDefinition.json
index d5238de252..50582a31f1 100644
--- a/Solutions/IllumioSaaS/Package/createUiDefinition.json
+++ b/Solutions/IllumioSaaS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 6, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -142,6 +142,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "workbook4",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio OnPrem Health Workbook",
+            "elements": [
+              {
+                "name": "workbook4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights"
+                }
+              }
+            ]
           }
         ]
       },
diff --git a/Solutions/IllumioSaaS/Package/mainTemplate.json b/Solutions/IllumioSaaS/Package/mainTemplate.json
index 2c7e6dbd53..7acc9fa818 100644
--- a/Solutions/IllumioSaaS/Package/mainTemplate.json
+++ b/Solutions/IllumioSaaS/Package/mainTemplate.json
@@ -51,11 +51,19 @@
       "metadata": {
         "description": "Name for the workbook"
       }
+    },
+    "workbook4-name": {
+      "type": "string",
+      "defaultValue": "Illumio OnPrem Health Workbook",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name for the workbook"
+      }
     }
   },
   "variables": {
     "_solutionName": "IllumioSaaS",
-    "_solutionVersion": "3.3.0",
+    "_solutionVersion": "3.4.0",
     "solutionId": "illumioinc1629822633689.illumio_sentinel",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "IllumioSaaSDataConnector",
@@ -86,6 +94,12 @@
     "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
     "_workbookContentId3": "[variables('workbookContentId3')]",
     "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
+    "workbookVersion4": "1.2.0",
+    "workbookContentId4": "IllumioOnPremHealthWorkbook",
+    "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]",
+    "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]",
+    "_workbookContentId4": "[variables('workbookContentId4')]",
+    "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]",
     "analyticRuleObject1": {
       "analyticRuleVersion1": "1.0.6",
       "_analyticRulecontentId1": "e9e4e466-3970-4165-bc8d-7721c6ef34a6",
@@ -172,7 +186,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioSaaS data connector with template version 3.3.0",
+        "description": "IllumioSaaS data connector with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -518,7 +532,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioAuditableEvents Workbook with template version 3.3.0",
+        "description": "IllumioAuditableEvents Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -536,7 +550,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'tampering'\\n| summarize count()\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nIllumio_Auditable_Events_CL\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"264cba08-bf9e-44d6-9473-5f03e9aa9375\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_PCE\",\"label\":\"Illumio PCE\",\"type\":2,\"description\":\"Select the Illumio PCE from which you want to see events for\",\"isRequired\":true,\"isGlobal\":true,\"query\":\"Illumio_Auditable_Events_CL\\n| project pce_fqdn , table = \\\"Illumio_Auditable_Events_CL\\\"\\n| union ( IllumioSyslogAuditEvents    \\n            | project pce_fqdn , table = \\\"IllumioSyslogAuditEvents\\\"\\n        )\\n| distinct table, pce_fqdn \",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"IllumioSyslogAuditEvents\"},{\"id\":\"1b35142b-4e83-4645-83d3-29edd556ee3d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TableToSearchFrom\",\"type\":1,\"description\":\"use Illumio_PCE to define what table to fetch events from\",\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Illumio_PCE:value}\"}}]}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where event_type has 'tampering'\\n| summarize count()\\n\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nlet table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -605,7 +619,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioFlowData Workbook with template version 3.3.0",
+        "description": "IllumioFlowData Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -623,7 +637,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nIllumio_Flow_Events_CL\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nIllumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"ced5d7b4-3302-4479-bee9-563947af3a5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_PCE\",\"label\":\"Illumio PCE\",\"type\":2,\"description\":\"Select the Illumio PCE from which you want to see events for\",\"isRequired\":true,\"isGlobal\":true,\"query\":\"Illumio_Flow_Events_CL\\n| project pce_fqdn , table = \\\"Illumio_Flow_Events_CL\\\"\\n| union ( IllumioSyslogAuditEvents    \\n            | project pce_fqdn , table = \\\"IllumioSyslogNetworkTrafficEvents\\\"\\n        )\\n| distinct table, pce_fqdn \",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"IllumioSyslogNetworkTrafficEvents\"},{\"id\":\"01dea62f-0a96-4799-ad15-4410632e9665\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TableToSearchFrom\",\"type\":1,\"description\":\"use Illumio_PCE to define what table to fetch events from\",\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Illumio_PCE:value}\"}}]}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -692,7 +706,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioWorkloadsStats Workbook with template version 3.3.0",
+        "description": "IllumioWorkloadsStats Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -710,7 +724,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -770,6 +784,93 @@
         "version": "[variables('workbookVersion3')]"
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName4')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "IllumioOnPremHealth Workbook with template version 3.4.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('workbookVersion4')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId4')]",
+              "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights"
+              },
+              "properties": {
+                "displayName": "[parameters('workbook4-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook leverages a function app to make an API call to Illumio Health API. \\nThe function app has the context of the onprem deployment to which api call has to be made.\\n\\nSome of the widgets also use Syslog table to visualize data.\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f0562353-928f-41f0-875c-99eb0f95fa38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_Health\",\"label\":\"Illumio Health\",\"type\":1,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://azureonprempcehealth.azurewebsites.net/api/pce_onprem_http_trigger\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"urlParams\\\":[]}\\n\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":10},{\"id\":\"2a4639d7-a9c8-4e65-8bd7-26b97d813f6d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"value\":{\"durationMs\":259200000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| project ClusterStatus = strcat(toupper(substring(json.status, 0, 1)), substring(json.status, 1))\\n\",\"size\":1,\"title\":\"Cluster Status\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"background\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]['nodes'][0]\\n| project json.runlevel\",\"size\":1,\"title\":\"Cluster Runlevel \",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"background\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_Running = array_length(nodes['services']['running'])\\n\\n\\n\",\"size\":1,\"title\":\"Running Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Services_Running\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"Services_Stopped\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"Services_Partial\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"services_running\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"sourceColumn\":\"services_stopped\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"sourceColumn\":\"services_partial\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"hostname\"},\"leftContent\":{\"columnMatch\":\"services_running\"},\"rightContent\":{\"columnMatch\":\"services_stopped\"},\"secondaryContent\":{\"columnMatch\":\"services_partial\"},\"showBorder\":false},\"graphSettings\":{\"type\":0},\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"green\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33.33\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_stopped = coalesce(array_length(nodes['services']['stopped']), 0)\\n\\n\\n\",\"size\":1,\"title\":\"Stopped Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"redBright\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33.33\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_partial = coalesce(array_length(nodes['services']['partial']), 0)\\n\\n\\n\",\"size\":1,\"title\":\"Partial Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"gray\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"service stats\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Node Status\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project Hostname = nodes['hostname'], Runlevel = nodes['runlevel'], IpAddress = nodes['ip_address']\\n\\n\\n\",\"size\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Hostname\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"15ch\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Hostname\",\"formatter\":1,\"tooltipFormat\":{\"tooltip\":\"Hostname\"}},\"leftContent\":{\"columnMatch\":\"Runlevel\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"tooltipFormat\":{\"tooltip\":\"Runlevel\"}},\"secondaryContent\":{\"columnMatch\":\"IpAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"tooltipFormat\":{\"tooltip\":\"Ip Address\"}},\"showBorder\":true,\"size\":\"full\"}},\"customWidth\":\"100\",\"name\":\"query - 0\"}]},\"name\":\"node_status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Disk Latency (in milliseconds)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=disk_latency' and SyslogMessage has 'disk=Traffic'\\n| extend traffic_disk_latency_milliseconds = toint(extract(@\\\"traffic_disk_latency_milliseconds=(\\\\d+)\\\", 1, SyslogMessage))\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Traffic Disk\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"traffic_disk_latency_milliseconds\"],\"seriesLabelSettings\":[{\"seriesName\":\"153035ad-fede-495a-b6c2-6d4308689f79\",\"label\":\"Latency in milliseconds\"}],\"customThresholdLine\":\"300\",\"customThresholdLineStyle\":5,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Disk Latency\"}}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=disk_latency' and SyslogMessage has 'disk=Policy'\\n| extend policy_disk_latency_milliseconds = toint(extract(@\\\"policy_disk_latency_milliseconds=(\\\\d+)\\\", 1, SyslogMessage))\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Policy Disk\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"policy_disk_latency_milliseconds\"],\"seriesLabelSettings\":[{\"seriesName\":\"153035ad-fede-495a-b6c2-6d4308689f79\",\"label\":\"Latency in milliseconds\"}],\"customThresholdLine\":\"300\",\"customThresholdLineStyle\":5}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Ingestion Stats\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health'\\n| extend \\n    collector_flows = iif(SyslogMessage has 'src=collector', toint(extract(@\\\"collector_summaries_per_second=(\\\\d+)\\\", 1, SyslogMessage)), 0),\\n    traffic_flows = iif(SyslogMessage has 'src=flow_analytics', toint(extract(@\\\"traffic_summaries_per_second=(\\\\d+)\\\", 1, SyslogMessage)), 0)\\n| summarize \\n    collector_flows = sum(collector_flows), \\n    traffic_flows = sum(traffic_flows) \\n    by bin(TimeGenerated, 10m)  // Adjust bin size (e.g., 1m for minutes, 5m, etc.)\\n| order by TimeGenerated asc\\n\",\"size\":3,\"aggregation\":3,\"title\":\"Traffic Flow Ingestion Rate (Average)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"collector_flows\",\"traffic_flows\"]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=flow_analytics'\\n| extend traffic_summaries_per_second = todouble(extract(@\\\"traffic_summaries_per_second=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_backlog_utilization_percentage = todouble(extract(@\\\"traffic_backlog_utilization_percentage=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_size_gb = todouble(extract(@\\\"traffic_database_size_gb=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_utilization_percentage = todouble(extract(@\\\"traffic_database_utilization_percentage=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_size_days = todouble(extract(@\\\"traffic_database_size_days=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| project TimeGenerated, traffic_summaries_per_second, traffic_backlog_utilization_percentage, traffic_database_size_gb, traffic_database_utilization_percentage, traffic_database_size_days\",\"size\":3,\"aggregation\":3,\"title\":\"Traffic Backlog vs Traffic DB Utilization\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"traffic_backlog_utilization_percentage\",\"traffic_database_utilization_percentage\"]}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'VEN Heartbeat'\\n| mv-expand node = section.contents[0].cluster\\n| mv-expand node_metrics = node.metrics\\n| project NodeAddress = node.node, Metric = node_metrics['metric'], MetricValue = node_metrics['entries'][0]['values'][0]['value']\",\"size\":3,\"title\":\"VEN Heartbeat Stats\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'VEN Policy'\\n| mv-expand node = section.contents[0].cluster\\n| mv-expand node_metrics = node.metrics\\n| project NodeAddress = node.node, Metric = node_metrics['metric'], MetricValue = node_metrics['entries'][0]['values'][0]['value']\",\"size\":3,\"title\":\"VEN Policy Stats\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'Policy Database Summary'\\n| mv-expand content = section.contents\\n| project  Metric = content['metric'], MetricValue = content['entries'][0]['values'][0]['value'], Unit = coalesce(content['entries'][0]['values'][0]['unit'], '')\",\"size\":0,\"title\":\"Policy Database Summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'Traffic Database Summary'\\n| mv-expand content = section.contents\\n| project  Metric = content['metric'], MetricValue = content['entries'][0]['values'][0]['value'], Unit = coalesce(content['entries'][0]['values'][0]['unit'], '')\",\"size\":0,\"title\":\"Traffic Database Summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-UserWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]",
+              "properties": {
+                "description": "@{workbookKey=IllumioOnPremHealthWorkbook; logoFileName=IllumioLogo.svg; description=This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Illumio OnPrem Health Workbook; templateRelativePath=IllumioOnPremHealth.json; subtitle=; provider=Illumio}.description",
+                "parentId": "[variables('workbookId4')]",
+                "contentId": "[variables('_workbookContentId4')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion4')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "IllumioSaaS",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "app-integrations@illumio.com"
+                },
+                "support": {
+                  "name": "Illumio",
+                  "email": "app-integrations@illumio.com",
+                  "tier": "Partner",
+                  "link": "https://www.illumio.com/support/support"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "Syslog",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "SyslogAMA",
+                      "kind": "DataConnector"
+                    }
+                  ]
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId4')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook4-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId4')]",
+        "id": "[variables('_workbookcontentProductId4')]",
+        "version": "[variables('workbookVersion4')]"
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -779,7 +880,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -821,22 +922,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -898,7 +999,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -940,31 +1041,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "workload_name",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "workload_name"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "created_by",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "created_by"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1026,7 +1127,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1068,13 +1169,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1136,7 +1237,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1178,13 +1279,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1246,7 +1347,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1288,22 +1389,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1365,7 +1466,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1407,22 +1508,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1484,7 +1585,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioSaaS_FunctionAppConnector Playbook with template version 3.3.0",
+        "description": "IllumioSaaS_FunctionAppConnector Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -1723,7 +1824,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Ven-Details Playbook with template version 3.3.0",
+        "description": "Illumio-Ven-Details Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -2167,7 +2268,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Port-Blocking-Switch Playbook with template version 3.3.0",
+        "description": "Illumio-Port-Blocking-Switch Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -2192,11 +2293,41 @@
             "storageAccountName": "[[parameters('FunctionAppName')]",
             "functionAppName": "[[parameters('FunctionAppName')]",
             "applicationInsightsName": "[[parameters('FunctionAppName')]",
+            "o365ConnectionName": "[[[concat('o365-', parameters('PlaybookName'))]",
+            "sentinelConnectionName": "[[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
             "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
             "workspace-name": "[parameters('workspace')]",
             "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
           },
           "resources": [
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('sentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
             {
               "type": "Microsoft.Logic/workflows",
               "apiVersion": "2017-07-01",
@@ -2327,6 +2458,22 @@
                       }
                     }
                   }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                        "connectionName": "[[variables('sentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
                 }
               },
               "tags": {
@@ -2414,7 +2561,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Quarantine-Workload Playbook with template version 3.3.0",
+        "description": "Illumio-Quarantine-Workload Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -2426,6 +2573,10 @@
                 "description": "PlayBook Name"
               }
             },
+            "DeployersUserName": {
+              "defaultValue": "<username>@<domain>",
+              "type": "string"
+            },
             "FunctionAppName": {
               "defaultValue": "illumiopbfuncapp",
               "type": "String",
@@ -2436,11 +2587,41 @@
           },
           "variables": {
             "functionAppName": "[[parameters('FunctionAppName')]",
+            "o365ConnectionName": "[[[concat('o365-', parameters('PlaybookName'))]",
+            "sentinelConnectionName": "[[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
             "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
             "workspace-name": "[parameters('workspace')]",
             "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
           },
           "resources": [
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('sentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
             {
               "type": "Microsoft.Logic/workflows",
               "apiVersion": "2017-07-01",
@@ -2493,6 +2674,22 @@
                       }
                     }
                   }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                        "connectionName": "[[variables('sentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
                 }
               },
               "tags": {
@@ -2576,12 +2773,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.3.0",
+        "version": "3.4.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "IllumioSaaS",
         "publisherDisplayName": "Illumio",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 6, <strong>Function Apps:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 4, <strong>Analytic Rules:</strong> 6, <strong>Function Apps:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -2625,6 +2822,11 @@
               "contentId": "[variables('_workbookContentId3')]",
               "version": "[variables('workbookVersion3')]"
             },
+            {
+              "kind": "Workbook",
+              "contentId": "[variables('_workbookContentId4')]",
+              "version": "[variables('workbookVersion4')]"
+            },
             {
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
diff --git a/Solutions/IllumioSaaS/Package/testParameters.json b/Solutions/IllumioSaaS/Package/testParameters.json
index 47149fc5ef..5dfce5d619 100644
--- a/Solutions/IllumioSaaS/Package/testParameters.json
+++ b/Solutions/IllumioSaaS/Package/testParameters.json
@@ -44,5 +44,13 @@
     "metadata": {
       "description": "Name for the workbook"
     }
+  },
+  "workbook4-name": {
+    "type": "string",
+    "defaultValue": "Illumio OnPrem Health Workbook",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
   }
 }
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
index dd3e255161..8e51d9b5a8 100644
--- a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
@@ -50,9 +50,38 @@
         "hostingPlanName": "[parameters('FunctionAppName')]",
         "storageAccountName": "[parameters('FunctionAppName')]",
         "functionAppName": "[parameters('FunctionAppName')]",
-        "applicationInsightsName": "[parameters('FunctionAppName')]"
+        "applicationInsightsName": "[parameters('FunctionAppName')]",
+        "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+        "sentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]"
+
     },
     "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('o365ConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('sentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },        
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
@@ -189,7 +218,18 @@
                 },
                 "parameters": {
                     "$connections": {
-                        "value": {}
+                        "value": {
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                                "connectionName": "[variables('sentinelConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                            },
+                            "office365": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                                "connectionName": "[variables('o365ConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                            }
+                        }
                     }
                 }
             }
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
index 291c961400..3e0e2a4eee 100644
--- a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
@@ -38,6 +38,10 @@
                 "description": "PlayBook Name"
             }
         },
+        "DeployersUserName": {
+            "defaultValue": "<username>@<domain>",
+            "type": "string"
+          },        
         "FunctionAppName": {
             "defaultValue": "illumiopbfuncapp",
             "type": "String",
@@ -47,9 +51,37 @@
         }
     },
     "variables": {
-        "functionAppName": "[parameters('FunctionAppName')]"
+        "functionAppName": "[parameters('FunctionAppName')]",
+        "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+        "sentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]"
     },
     "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('o365ConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('sentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },        
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
@@ -108,7 +140,18 @@
                 },
                 "parameters": {
                     "$connections": {
-                        "value": {}
+                        "value": {
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                                "connectionName": "[variables('sentinelConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                            },
+                            "office365": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                                "connectionName": "[variables('o365ConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                            }
+                        }
                     }
                 }
             }
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index d0d539073f..16fdcd4d45 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -8023,6 +8023,26 @@
 		"subtitle": "",
 		"provider": "Illumio"
 	},
+	{
+		"workbookKey": "IllumioOnPremHealthWorkbook",
+		"logoFileName": "IllumioLogo.svg",
+		"description": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights",
+		"dataTypesDependencies": [
+			"Syslog"
+		],
+		"dataConnectorsDependencies": [			
+			"SyslogAMA"
+		],
+		"previewImagesFileNames": [
+			"IllumioWorkloadsSummarizedBlack.png",
+			"IllumioWorkloadsSummarizedWhite.png"
+		],
+		"version": "1.2.0",
+		"title": "Illumio OnPrem Health Workbook",
+		"templateRelativePath": "IllumioOnPremHealth.json",
+		"subtitle": "",
+		"provider": "Illumio"
+	},	
 	{
 		"workbookKey": "CEFOverview",
 		"logoFileName": "Azure_Sentinel.svg",