From f40bf0d58d4ac574be41365ee0be68203f959b2c Mon Sep 17 00:00:00 2001
From: ashwin <ashwin.venkatesha@illumio.com>
Date: Fri, 17 Jan 2025 16:44:07 -0800
Subject: [PATCH] compiled solution package, added an entry in
 workbooksmetadata

---
 Solutions/IllumioSaaS/Package/3.4.0.zip       | Bin 0 -> 27570 bytes
 .../Package/createUiDefinition.json           |  16 +-
 .../IllumioSaaS/Package/mainTemplate.json     | 330 ++++++++++++++----
 .../IllumioSaaS/Package/testParameters.json   |   8 +
 .../azuredeploy.json                          |  44 ++-
 .../azuredeploy.json                          |  47 ++-
 Workbooks/WorkbooksMetadata.json              |  20 ++
 7 files changed, 396 insertions(+), 69 deletions(-)
 create mode 100644 Solutions/IllumioSaaS/Package/3.4.0.zip

diff --git a/Solutions/IllumioSaaS/Package/3.4.0.zip b/Solutions/IllumioSaaS/Package/3.4.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..ef4d0ff965cb3e76d88713bd3e3032dfa0cdf60d
GIT binary patch
literal 27570
zcmV)-K!?9jO9KQH000080LXhWS`t@{BwYyr00l1q02crN0Aq4xVRU6xX+&jaX>MtB
zX>V>WYIARH-CF%_8@UnxKTk1G3s^FwmE(N0Fq%84wv!l0&W5GhC~PC3b}21u?sAXh
zTG6Ej`Ye64K1qk<eoCv@P9!^be<aqD!{Kl~f3wRk&j4C~R(?n$(%OSosCA<D`h7Rz
zMI<Iu8qrvL<hN8(&lgcPr}{hIb8okoNP5HQtiLZQ(exij2Xw+>rkRMnk15yeEb{)P
zMEs{#*K8G%IN(&8tv)he3MD4m8(7vA29EZIN`-6;ZEY(zn-EDNs*wf>zTgOs`68aM
zY4MCBOr5jehzxLSLb#&cd}2%#^Hqfu#{#N+$r7Dy`ZpF$K}rA3WuX>HX5N(PFde6g
zO59Ex)flDNGr0eILmXr=<$cr=3fTW3rb6|PI8P%c%!8+Hrk5?4u|S8&{V%VQ&-fTp
zHVt+0{L^K88E<d@A~fCG-i8xSiJ~Csgi6o?bVy+$I2SV(Phm_aLQ-I{(u8v}V&;|L
zsX5Ia7+(MT&wt_6YOpp57pK(mHe0Eyc79lQ(AB5YlG6N$!;D#R%poDee#Y4H^`f9-
zqyQtvD5NNDMCK?sTwKRu76Vf%t!_`Q(f?FmW!vTADogE%JCIPR3HqBku+a%qkc-lV
zWLag=vZg#E)kQ_@QiR!T<}o*6)zB%GmPm2K&|!d#8E1NK_#-o_G>|l4nv6LGbat4a
zg@E4RDHKekh+uF&gy9Pqr~Wn7o-^_R(FFEI98+Hlsf@j!cVT<`T*&LO5Z89(r5PE-
zgwHke;WXvc4!<_TZ`0Vfat)HCTz<mIyjcFip7R4GGKR>gfQ&_|p$J3B4ZCCl8~V8&
zI`D5;=2F=I>x&B`2Ey;Ox@G98bX<+SGAMBlmy1;T^u(#$2K+^Z0IIp<7(Ig6Ej|{x
zt6ywe*>cr7!jEEQ0#Ws6sC|_XpQ?V6@7*VuzO+^TYGySK)&Q$%F&{AB5*klYtqR>$
z@%y%-DlUA|q$W&;BtSn}7&l3m1p&1w?L7-jsN^iVFrzS~8klyzY4QRWQ*>PCWeN%%
zR0X@Oo~Cuf6hm*%Q*5Kqxeeb*ktU0h6O+XbKQo0sVzRfEX@$$P>felKnZ9#JsHE{2
z>w-Bf9_+*5ypX>ljh-j8UV;k$^#(E;Bn)FwOTlZ4gy17)gl~;Zo|!Oist=6krIHkC
zkZ7RhESL_gK2NiwgFQPa%!$6HL6tQYl7Qu9=VEFLp=@&+Pj%R?sjl7e%<($ioz7LO
zrr%#NAL<652!$zrt#^l`nh#?A)S=xDH%D)1S0fO2VL^AR;`R3pl%Gk$dRgIqv%9mq
z)7$xLZ|C_IO1o^)?rPi3?q{}r5k&|z4x~s9uqsrEIT=%Ks2e>X;W!Wq9ylyAv_=5}
z&HFA`KEUk)Q?h1Q9Do~Ji<np3pyCDUVQ!$b#B!!pV~Eh;jBqrwHCsfIwsXO@3x@Vq
z-Ql-7-i;yeLPpntH$Q>FEVzSeYeXV5T<qr1-kmPwV~sA?L4r2ZG_rgUekt0{d}r&+
zrPKFiYwxnP)dfRlS9M|Qvemt8SxK5_Z?};3Royv_J2OdxrDRaiR+)AxB+j?4vMhnn
zB)KC=n2hNcg}2dx7K(F~X3R-IM@(BWzD9`FHkD|xbS)(6W}%+<H2tg>E6B=V7$NcB
zF~eUkt`Lc<fs6IQFf$wE?w#kt93v^~zeXk~ghJ>kp@Nw__@_w0C$TLjl?m`urLnS@
zs$yASILy(x8gNG$KOPJw=#;DAY!@8RPo;xcG`48VqQ3<(F*%nYd783-#J&N4;Lt&d
z=L{_NS~b1gR-S4V?_O5xq1e~E8?~C*p<%r0yGuYV6VRx`s>%iWB0jN9Qpu_<Awo6;
z@rB$54_j<kAoPC5yJr~pa>fgMZ&$0h_?_dPy9&f2va09&rCF?SA2NbkZpF3|^D4SV
zUV--u?=oK3jNw{|P`bYCK*SZ4bh|Q5Gz#~y1X0NJ$f-dsrG{LRHa26}0)><(Cca^c
zMaEEBfPg=;j#b-pYB@(o<gNnRXk1DLccuUwmKsu(&*Xw^D7Z_F+o=0t!g?)%t5eKa
zjPM?c%<yN=WM~`44+!4}DDnBd^*5xptzD!q6p>XL7!*DCp=-7CAX{9yBF>hDZWg>L
z-oAc<RUTkht@Z-PG>g4K9xcY1#RL%ROJ<r4k-vuki-z2r2peqWONi{<gQSU&Cfu+j
zW?J(Wt-EO7#pkPUwD<kX;C=1=*1T1*cxy9;-u>Me+P(*@ykmMwJHJ@FosD(5AOQ?D
z*;rJ+cp78didvK{j`ovSwcL<7vjS|UjThv~FjzNnFVj>}TOZ4|FV}9{<M>3<2;Nh|
zb+{qZzWlLFo5iSmQS4%LYdBY?Il5s41|J6y&>M!hd20jKeh|PeUI8`&>_OA)Hv;UY
zoxTfTHwyPKfL+M+<N&+=ohO$IWNJEI8YP^Vk1KaJ%=VpPwOg)nQX4|er5gXps5zk8
zw7ohsN>)Ah#^dMnkr(-&Sn%cq>oHOlr~G8UqkXD=?_4X&&XvA?l>L@TIz#`05s4B+
zCg^6h?@{Z?-G%&5le?W=n%++x#XcgiSi^Zp<5C$%D$@rh^mC@eO;_YxKkG-;hw(&6
z-`WiJLxNRmllFZgjD27Gp5Z^I1XWXvL88=sE_<7D-gn;)*bRk|fTMuZ{#gmpl_7pC
zhgd)SK0Evcjwch$trQMymNSK6{jTst2>c<g@J^r~9GQ+QSIDE<cKz_%*mj?b4O{k!
z0Qh|^J8&uptcfv^J5|u&vCR5vBW69I#AGC5T8vE^_tlSW+<MqnmGY>e`+6fb9;Pax
z@n-G&`uAktOd)Hr?t?nzB)?_V*eRbh&3<F2+_ckob;^yxJ*-nMWcndG<@`WpYg~Ml
zVmROsoc;ccv4$NVLbPM)ht%A=aGml1ySm8!w%zh6RSAkip*=hvoOVDI_sj0=x$z0t
z**hX*3IR>Hn4@>5=%ca}bW{kMT@<MZV2!ov``9R?bNj^|nHS%~11q$<wi}dpx|&*h
z!*}1^V1@VT_&YoO(hdH|oxZf*5EQL`e(DW1`^#y_{>`tqh*T$O?XFOHZ>m?hCfK@|
zFsXF=8?OwZN43A>+EADNni8(^753gwzWuD+dEtJMy(5&Lp?W{4RXbSz(5_OHm$(c`
z!(Q2CG^5SiXSdJ(4^T@31QY-O00;ocdofyamwymfVE_QLh64Z*0001OVQFquWo>Y5
zVRU6KYIARH?Y-%G+sKkA_`jY4t#j{3$t_UaCArGJrIO_;b$QXTWY^r0JZun1l4yef
z3jihSxHaEA%RJgV$wY2I0?5R|MT-rc?y`j3A|oRrBO@aszx||XTmK_4r)XwuJ=eCT
zVK@(-@9ohq&6(jE6Es6^*fjpN@KMwBW~?mO>$KX3daI|m+Itq7JKim>cY$Ve#|TmL
zzXH$w$JQ?H-}KxNiasGfuss(K({8r#|7h_Hg@$E>c>HhhH+(S`;neeSMPokKZD>95
zjS$)fzuJzonAsi%gtR8z&+y0ru7B=13tUkP864W!^R-jj=-e>Qx1h}(8Fp^?1`G{A
z#REH@Nydr3z_;*rj&RpO=-cju4T{0G-8aacgi|PNM_(;8HWp6!$#52=)uoRDZ{eHh
zci&sgw|AO+h|fY#X#}vI0@JtW44kcZUZ^bsWbJCBMX0$5S;*2tPn#P-pc(#555q4o
z>mbzr^9>t9Kc9LF$I_vx{u|Q&Fnr7OpxJ*mHSI5?*=`Ub!@|94;S_2AdE@zCg1KQL
zodfxw+RfB9r<xsT7V_<D7;@};GgAG{krp-BVqo8qfA84BWcw?F*E9wz;^`8o4F=n8
zd_WUI2%bi%Qwun4@FfW}UDpDH2>}xdo)`xdK0C<7zcqGaLfLNc^2W~2=YmO#b5+kt
zNnK^;`WGKda{)p^>TkS>cH|n)ZD^YTtRC`__SQCiFYv~pb`E@EyU4){8lZ47SI=SO
zd0*N(?su6*V;rX)Ei5}UMh?<Wt}%~lf3dEM_^2FD@L6Me<Ur?7sk8EwUOV26_6k6I
z@VRtXo(rCV<ADq~4~<8#IK7o8^xi%5(M<aT8BRF8|M^6l%eCR#nCykUWys~vJ37ZL
zaaY<+)e-i}ZnMXBN~plgPc2-;HbdJr+k?*GL8mk5b_WNCP4;~lFm}&$Pn%yxP;NKk
zlEx0-nzk19vFDEM$*I*&0gUM%%3P3<uu=2wQ}xCEg(6`9OYG*DstIKW%V{ePtf-~}
zg7<*FLPfj;AJ}GbYHj=RuZ>8iHs8+?RZa}&6k1HCVXzl%0zqR}6Zem(05*_aP3Ywu
znG4?zZ=)^}P~mQbIjQDOb|oo(iV%~75w6jl&yk5qw=M3nin;AJ_Hw4y*ez<UTc+OF
zUAXq&3q)CeyWI456q8{5)TYX3CuXQ*UrbXy^F3=}M%2Wh4UI1-0fxvkyZsi1yRqA_
z%m(>Iqu`%Y@L3<q=A>zY&}lEFrcK9Ftu3E>5<OgkB{9>AF~ciJ*)rPK>9(E{v{74*
zK{@9n*acTlk$Dz^hGYT{LZ3IIJo=OZF7l=vx0eNTPfVS_5(}pcnrFEJ>aQ{aDhuyA
z_~T}@G=Fe1%d&<HT^X)OlYA~ibcz|GBQONk3X6E5vrb;<l;MTWBjkln5ifKKd7;xN
zL7SaNOPify+U(@gW|z`tJBK#A0&Q|FKOkDZnm)Vhq|a^{`s_YJ`s^0bXSa|(yJhIJ
z`)KL2TTGwbT>9)~)U3=HJ%K*yp^cu|)YREqCw2D9P-pKEQfIG-I(voG*(*bxy+=!(
zy<+N2A<1C&un!9dy&wG-D8+5j#vm4_wc$Z*Iv9%e%!J~G4p9&F1_Ql&xZl!y?Ll83
znFp4>zu#$_12pdT451^jpL_*5Lr+Hz@<ZH?lPae3Mw#K`HBUkCAnLQ>r-{DgBzDAU
z$W~+})zt8pCg8~CieaI>l$#PAutA88&M#pa%hGPAfOb2jX_wUOA0Cb^^RT0%(ZJGs
zqkd06u=Wr2j?o?O_gcn5Z(yisH&3B0NxNl+FHO7mqV7s)x7;Mk)9x~=>zZk|)RZdI
zZnuDTyQOKD)I?@$e{5P^eZSKi>%9&@dN}TP^;WNa&}y4Te>^Z%w40~wmX*6DhA&OK
z_o52R<Zh`+l&9Tg)Y^5+-7-_EOuM}T+U;@L?HAE5sX6MJz0twAr<?7LsrUBVNI!%h
zz18WOt^Ps3)7e+*40)<>N!l$ld}-Rf7e!e@yX7WPo_3c}de=<5rKTj%Zod@m_6umY
zUz&DFO|yM4vJT9S-fxXTu`!H}e$ei8bgS1p?DV>W&c3y;qTT-Lv|DEQ(zM%uAlfZA
ziSo4De|Xw0HKoe5J1C&tL2240HTS#whvWTzM{gehe7&w|=m(?yp1$AO@9kTl;&jFb
zD%u^aPP=7>FHO6H2cq3_lPFKSgNLWxQd26RUE#`l_<G?I_o1WtJifYqUZM^+%#`U&
zH1ibI7mPlfj810r@b<{}ja$+g_SoBQTz(d6LbY4TC1JW)d2^pXMR{{^QrQ|3;2y++
zF*fqdb~3mVW;<SC9af96u{<YWr%t{`S=*az8X4PLnnsc{WyGNWjzawta`jgzG;Ajj
z=p<8=;s9Aw3E`)!sj0YAM8%yl(8*in5^qNWQ@#=9jW@APV$>cx-c2A!y!=W~#U1xz
zBbhsuxFdZfsN#-g>>_h#Y3?{<V3c4C*_B?J?BtAb=J}!io8y^Z051Lf#tzM?NPp7u
zG>fP@k@1PFu9{i8Ma<GI4XnIrF2{7G9Fu3dsm3wgG8}U+mYIqilfI->am+H-nET-v
z*(GC|_T(J%&jnzSI5z71W?Q5|S#g?Q6kW*JMN(DGExjUc>6L|4-ZGb2dQxV|vlUfi
zmR=cVxffGVMP^CgnW~s&8S~HmFpKQYGfjG_N%Ha1lU!ns!SZwD@i^HzX6kCPQZ_j@
zx5&LZir|3RT#^ZAJjTm9=<dyZ@7lItoIQrB=)5i*!soW&k=<!^x-{@fpZn<AMmKRy
z=D@D@w9TAW5~qD3P-g2=$^d#Cf+DoD&>Xo|@ZOCOLOwsd8#5<A!~9}QP}+}KB!W1g
z=5sVHSQ`K<v;{wUHr<44zHs8yFtRn1V_O3iWEuy9UDHL>M4x)n;mojIzA}lSw2g<y
zMdO&6FgYa=#b>S0$v%=nZFh;XL`*`mD9ca$=Ud`0k-%4z@zuQ9h4C}2*w$NJ87oFD
zR*(ouC;V*JOR{U!9@Jzakbg%m@@@0uX|{@j1w^W$;C*Bf7Sd`^(axwiLupV(8hdu=
zBtmQmmu)Ws*aI|TKhU@VA=r_3F<*=vJD4KT04A>~@bz26|6+MJ6t%3;=WWh_H#avt
z%7rl9j==J4`2rHCV;XZ~WII57I1&(G#u1W;#-iCSe98vLHMI-eFxy|YBO?lLGh9o<
zN)+##L=ztUb*`Ovwb8=-g2JYJ$`jw1Pye}q<(F_D|B)>yX$|xSbi*TxF1*li1fUo!
zJ~9!G-IM}Ax^d71xuO=G=|tUjWCRGqe=9T}M)3hd>J&XZezPU*;7;Cer3n+f2aDOv
zz(`zby2&moP8R!q7tT}i^|O>90t2=Pv@}Jew#IYPo92xxtmxk*R#Urjwg1)vIPYtt
zTkXQ0AtJ+IYqK;A0xfs!nH_5F)_T@nIkmE@mzh{{<<>H%((8=(mJ8ULmRMuH2j_8{
zn)r<%#DPX17@L&gU6{D=^WPlT|3U;y+6!%FeBDkUY$x4>h9cX6>tSsyyd~9l)<YO+
ze54q1c~m4jx^FC$CMC94+1Ic;9fP6;qQh8%thl0d8Ze!QV?>F-YZiYiABa>@u$u5A
zBJvHa$Qy6M7etEFWLwys@h!0?01d6u{k+tSiMQQtS#lL61*=TnJsiLact5X5G{&`I
zJ4~ff=!|$b3XO1qX{jy8+m;=iF~$42Ha469NvcWtc?;CqnH^wFUas1bO8jJU#&q%=
zVpGvIRib(8(#L>2LJ>fJWe3<2a{(u9+`Er6YG7sX2J@jNRMc=X3Klv}lQtM23VihU
z!uF9R*A7$Qv$44L69w_*wGB*fUcNR5=d8rquqI@pP$~2mNZqqWQB$U#g&Y+1sH`X>
zbn;!*_nOILFPOsmS%0G2RVYQI4>(rPKD95<X(H8tgkH4Eb42sDSf07SwgsBF1bT6h
z;k(+*gX+e}TZBRvxaas31ucVS94LwpQpAoy|EteD*M<Yo9=2EjG*Ad?bEx0Iq1C$y
z{^5;6!*=!fsB2p~P`(ah>?}jhMX203B^xGFEtexa>36B@#as3w2)&tllg_1AuJ6RO
z`WG7Q1;B@aNKtv{N$Jub)M5(=Ds{}qpG+WMsAxoAwWIkQr<GZXKvM&hrqD5Ou?G~l
zMuET)eE!dKf)#d<H%!x8xFMdrg^dNU-R&)h?`O}T%i;OS@rRR(XU}#u`uB&E-%sDa
z8@@YwdlG;A^W=ZiKmPgg<m1Wk<A*oTo+S}o1=GYlI$t=B?M^;#|MCF=2ZCH6W>Uk|
zpsh~~9EqM@?liU2v3Bb%hzz2(pMV=SxPipNrzWOC?PB{$Xkaymov?$&d=4k8rgjwK
zj(h??wxIyrw=llr@P5cR)NTt?O4v|Ho}*p*4VGr%JJIq8Yl7j2r9uHQ0nIi-8Bv0x
zvr{Zo2^awaAi_#iaQf!W$G4~NhtN&D(Bel<BI1gZt-*+L(BSFLj4zSNiY+~{)14ik
zP}39&O<3T$jgw!^fmTtVMvGjKmDcNUUNL_`;5ZM_e03Yf%V*Ety}vkl4p_LD0v=-1
z+ydqyl}@w<{xzZ@pqD*NNjPU3(7)z*lUx%Z3^c==KE~L>38AWHSa2>N3IXLKY6Zmj
zHoYJWn%eOcnP13|muaZxzHMT*nZqU;%Qt#$kQ8vN=AK18j`jp0M^>JFZ(g}qE}&-n
z{hYysvAqLGBIb7F+-k7J01TK!X+}N!UsNyv!EOgT8dfm8FUZBe!|W);unTLSaBih$
z`h#Ey#iWkQX2_fxt{u#X@<K+#)aGL&9l9p!hDOeafSb$Lo`dZ)fSrIQpJPN)O5D%q
zdVu_E+f4k9bq)O*1E>3F3`c7hxPAu%gOl2&;pajwxiom=Qt-lx2C8;bJ8=U%7AHVT
zykmQ^;B1U(C6=VbYD`n^5t|l9X3B0y=@yIOiHGS4<~l-zqVZO63Z!TRAR@VZiq?#d
zu&d2sO9+rkJQJ9LzXL2<cLl&memMfoO(2TeCbo%nni@{F7lg>yj*eb|n3+2^%cG}j
zuc60R#~-xqSM+AiVTtuLf8ijqR+u<Rf1psrwspo~coXv`8h0NKcFFcI1NDil@d<2L
zhB#tVYbR(eL1`K`zr^H5cE=RGAy;1nQZ*POelJ|WuP}2R|D{I)K*z{4oPSWYNT&@A
z(1&BdcC_sPi$krg_sO&;fLGY!0bv)&HDF~=Ew<~!r(?%P>=VIz;_ErtXr4Xe*k@FR
z5i>P_?I;wmSV`2y=K$RBj1s~ZgytGHM`1%M##gk|K24y=OjaRu4OE1X%knAaomt~s
zqcb0oZHp+U8{x9!spr8wJU5yFAl>&26XXnKs1d@n;E@(Uu_qt~kRPSJq@_n6-p1F&
zan4AxkV3*pB7R8;m&$lF*nZuG;W)QtF!Cz84BiMjK9XtS%?p9ZXSxCq?TneR`QR8?
zN2%FS#STkIzy`jm#y8b?n*o*r(qmiOvuAV)(a8WvbhHRVzy-l2CNB72c=>Oatl|Z$
zDC~P*jOHw07vrHv&`kT-$yDN5>~!IpUl$z9ceJaJ{LckeV0Iz`XrwQ(9TS8cR)PXq
zLd@t)xtrD|cNv<1{f-2|#{0yaBI*HDy3=g6fQXk`th}6tREwhtYgzu*=pf~y8;yHu
zXe3)K+wH{_OHdt=$3ftkHd)(f9bw73O$}e5(koD`l#INunq$EFAS_EjA(;3Gas3Dc
z_l(X2;HN4MAS<LYWaM2VDr$P13Z6YXgMmOE;H8h4r3~@6xmFR)^eyqB@U?BAxg9O?
z!FXua5L7)8=TC}9{<%O4bm7|*z^{~FN-P+#6a!F+5tt$<ffgtzfoV9KS-MzgYS*@*
zeX@fEQFuW&^0Z^mLS=}LFa;LW+AE0|j8yfFOyJqGc8tk{?)mH)qn=mZjZ2cTO3n|s
zV!Y@R*ufSfqOOo?^uIb6W_!MIvo|xaKDNgl@Pa*oGWM`4_CGtV*tLb1()$klz4<R2
zC}nIrpe&qx1tklVMFW`Lz9wRW9O1EV3mk<&FLk^*!6tw-U%<FcB8&ws>{7B{iYzBT
z4-`#w<ai@K(?s&bU@sBc63}&zm%TZ&{=p%_N}5g~(qo8p5uzPIB_IdN)Zq@#i3)~K
z=Y$%G1U?#LjTkl^Y>F5!oRo;c9f?@k1%X8H<)W{lMs-CjqWGSIySKy5995n@gXKEr
zM-u{?lt$T#ChbhW0ICq29UR;J@{*hcL9>PJ3pAp54@T~_?Rzd|VeW%O_Z+sToEvnb
z5wuy@(n7-zGpGV>54H{%2FQS&h5~49sgP6pQcRi&I8ozT%wmr-T*>SrnQ!SY$-h&J
zm+`q<!GkTDP_ZMO%BMAIu_o6));gK(6gvRp>-g;eRIH>|aW+vcjF9kl7GNxLmjjrI
zcOjX_gL}uWnB+Gxvnb3t<K|bG0y)tS_eqpxT~1WIUcph7bwN?B@>t}M@I6fKK$o(}
z3hA_^gGum{%zd5ZT?ydP3l&npIY_y$SCkrunPrLw%5|zlGdQRef}?Q$q?e*+AcS2c
zqXO(j17crvj!ye#vN`a7B@@pVj>2ED5n4bN@HBBQ|5Hsayo$oNIvZ~AS<?8O#I-+>
z)Lq`Jkl=(SjEB#O3wa_3d@Jd%z9O^p_J0=e`j(ZvqOIry%!f$^pD3Zt1Vg8QmUu8%
zYF|}g{Uj0~Be-?MnPm3lW#UU7-yW<CLdow)685od6pSid<h$GSSLXksO@4*VUB0R3
zZ{~%Yc;(Go+#jTyb;V6u>`%Ta=WfPJY{I#l@A8}OU9MDnpy;0RQ9T=o=2=?YsH1n3
zlBg(JXN7Q^;xL;ZD7+>=tR{27UM-Afnedq<!)A&s1*?R|R1b@(9uAXG=99Fk42MvL
zAXW)~c+6oBMT=T7yy20CHK>=qT=;_0DpnY-kQ1ix6v7jpMp(k<l8c=m-j-S9<-^%F
z9>!M0w#$aAZ8A(vy)L=oAj&Y1-0+WNjCo$TN0~4WnK5@gVIB7r&aq4wM>(hW3eN6@
z;TlC@8U^7Q8Czbuk2Ni0e)vTlb|FD;xp0g1Q(S&nMZWPjbxW5MHX)&_<-;U?fbfVi
zjJdWjh&ue?5rscgS@}v~4v#y$AthLpdP-sVLXo0Zhbz?K3ileWQ1KvAhb7cu2|rd?
zLaA_sid^)#!w!nW4JuBz4lAg`3LZ;X!K&c|8zlW7Gi+de;Q|$xW{I$X6~h540$98K
z*KYrtaQm-JhTo%mzxpzxIM?Y<=}y+}<+rJ9(yG_0>qOG_x)Mo87ll+VYW#KT?<bpd
z>cQ-XNF<$Qt?VoAIWZ`CFPuxm4c3;dncfza%S?R$3zn^!8)cNH$s^G?0sF__^y-`#
z2HC0P8qTxKd5TyjB(6)?5RfoY7n_9(V`);(;TfFbHEHW^#xp+ZAi$m;j{PrWy`tFI
z`gX-VPp`I~Uv0hfLWFzSYd2e0Tf0|VaBQCiP;?0uF#*A^hwzyZJN%XE;LpFEGY-`$
zw2eB7VP(D97HM#Ju-_k<ot{4Kw@tm*?zi>B!MLS&P|q0ex4MVjL63A$Y7{(oQUl-8
zlP?VD9{cs2?Qs<H0O57U3-^gwAsJ{EJNUiDAKC{k{ByUPF6a&v1?^r>QF1U)l?+-v
zHqK{&)WBN7F}Zq!GJK79hvA1g5tjSP5U=R_iu&K=)gb_|73d6l=Ewlf8I2E--s@Qd
z{jj&+)%)XC7abbLVRyg3#0qd<inHSrQb10vVu{8}*b;T%SAi8t)pN2yL|+kFiS|))
zd4sKHL{Ews5EME}zrhElF)>7vZ@+^+YdG;2;sBC>TIQT~<;Gq+a}y26e_O7$t5L>(
zp<P`SG{4#+T`XKISho3u&Tj+9n~(-<_k*9Sw8K}qaWj3fL3uwr1ON~tzylbqxQE@i
z&uBGLTr%};UZF9zk;4b#baKa$c0t#!1%LCch<&=+iVdn>tfJUi6@?NPBiWp}Y>8Cc
z9(DWeUT38D&_P%44SIe3plfyY&LOg_et&>a*IGtyV3b^V=Lny{Ui+B;VhU|bC={C)
z1yZL6m@%B1fIba|V*HWbm<isrj6Bn%Xa|4TmWABErpSHcnO{W0HJPs-7T!!$@lOf4
zK+%mk004|ujxG`W3bHO*BWxYA&14}d_$Ey1Ia!=LSb)3FL_P)KtwY-rvl3~(Msm0l
zS0vszG+pa6BH#<s$=i$gW=4!~(Na(FUlCA<@u_OF>lSQw2`Y-k2=JMM*y;~MZx|4I
z8WOqnLTh}>kl9`1XJ|v}Z_8Ry&W-&Ii9^8l4jDFp4}6QmwiW^bVH}Nf4o0Yl$>uE_
zkwNJtRVdKHu7UxH_#?TEu9?}1-H2T`lIEu2Q+CC0q{L4|Y$JQ(E@mSP+a0D6>YVbI
zZG}@(-c2!c1_z|8WbZTMYqEnok-(N*{!Oesy?-GBWQd_7_b`pnm;t(BIt>MZT)Ao*
zx!{dO96dIAu+uAsx1--Y-y$GIyU{x7Mv9m3k9P18Wf+)-tD+qx;oxT{wR33sm<eZ%
z1R<SoIfD3{*v!c0likPekyI+}GF(#}Qvb6Tnng)t>Z9=vKHJ75MOqTB#NSg5Nnz;C
zwRS68Dw0_%DW9OlQR-;@s7NhD6VJCz!x<TVN^K#7!%DX{s<FhlI-VNt1Zi)nlLC<B
znl+k@)0*K=hMAa&UF{j6GfZ%DN%jK950E*WdyZ}1Ht98NgHqh=T1Q{!)Q5pC{m`Un
zdXfGTBu;lp7*dC^8}@W)Ff_(v61M@r0P!jNZn7bo*_KVxGBpC7%8*+-v;FbEo5I9d
z?NnFzirNl`GphBK>?+wP)#J>w?6D1V_C^?0LCHST&C+m^mTW~8_~T+mEid?^u7Sq!
zi)n{Kpz(E<>%#B6cwMy{Ok)LIJcJ0E__meW(qLoy?Upe(X7)ePZ3IC?!4zXq^*z&?
z+H_l5t#u^o%Ax)7?srtCqy>WZZ_w-I=LYo*i6iaO^>(zqJq^)2HeSYOO>WYlrAC@A
zCGcVyhVO9#G{jdASs)VPD=KCD6ngB{-jOjG;?Rgp`-o?EE?b||lKB|#(l3}&h=EJ=
zuV%+%h6HF4xr<!z7E%^8;}#JrqcI*i#~sJIjKC|M0#3_ql~GIkNwqW=!G-E+|KZLn
z_rR360u*lxs=~|&iL;=OCg`iy_`enb@|({ZwC;BLbQGx)o}W26H5YSBSw`cvc(=?4
za|mnnZ@3&=WJ!Dx{)OJxOKL!$x#h%d*9Mt^|DXsX7si(M5hf+FydX5<j&?2^c=C<U
z^j~sgBxif*N??54c`1I6D&9NOR^*#_M&ARw2&9swHSFS&EoYRL*gqB}X^8ZViD(Kn
z<wPV9&mxz2*xkn@imZheq<@vhc0>xPqch%O<Ccbdt2iuP<zJg^m<&59t3tt)izu=q
zu`f`{77u}smt-qwLRiIOfnsCZ!QNivazzlm<Z|AIIfuAI+tuJij@1c2q*|2m1>v9&
ze2>rWU}C{$(Hj!@(!xQ;$pCLM(Qo+MbK*O7hliqngSfpT{$pBunly$0yrdnD-EUjO
ztIhRpU?_QQHCNypB?j*ZIFDqI(RBO?urUSVd_?Aug$oG67god=Qo(dfQpY4KGJ+*s
zIWy+TLdP>t-LXdoePe`gJVNIQJ}7~=gjFWZ7+BVkj{fnFe`rT6E`@oFvwnfDSV)2p
zd|>(BTqA?Uq-w~TH&f;!ymkQKeiE+rx>~dm+BbWhzCLP?`g+gUZ|et^+0_q6z25%V
zXpg(?!4g-dM2tmhr*O^hn$E&P)MOg#r8&3#BpnTQxnU@#F-<n@$I>cX=+A(kZR$L5
zCEW6Zx=03Ukgh;c!#NumpX@4bzhl2@u4B`HI)YqwZ~gqa;lSwRYLpCm<T#(A3+-o=
zzvZ{+n9|sN?$y>Mvx<D9TQlk53YT1wi)O#+coT0yw)0(5g<_jmA-Z2&MZ4QA>JNC^
z9olYghqw-{Qnte)5OJmQFv5fiAdG4hcZPi(0z~4bhd5lqc8Q527g}0fOIFVvip3f?
zldL}+8z2#tgQdhwT)B8w!Z;{*F3B;<bxu`2j<wwGSrCj+^$vRfTu}|<t{`dd65T&~
z<F;vZ+I@X|*y`xLv0;K38@Kd>ZV&Yi4-SlWYkwJ8_LayQl}Ka7D~mKl`>`HIqScb9
zmP9|GB+Bdlo#!gSO_tI9ouY$gSXoiTk?xsrt0t_@Nsg#O7fMo#h1vhuDikK<g|A%b
z*Ku*aFkqoZs(#MX#aWuk@4pN+E<<%}?=%k%4+n$JzTQFm`+Bc?FwhUpPFHWEQQzvf
zEI0?WueNpzHsXr3ijQ7)cw19zX=+8juOfmI-}n4tI<@gBS<%I5qD)4i%nx}<BHKT-
zT8F*9rCY7>f!^yJcJX1eqj$~ze)q6#TIjH!Ph?3))4A<9!6uBwa!1p_+AL@M_&SUY
zKG^tV+v9DF?Pp{eZCBg=7HOS#JG+{73xL_?Hnq@G)uXZ75OlA`uGSD$r{v#a1#wg6
zeI)l%{#CA&G(L*}32=Vi(RO}b(${qvw>69=89v48S_-RFqTG>mHZ-eZ>N~z;Nw;Cr
zinU^YrOSjtQ#Va?Ia6neyPf1MZOYooz3_L13GXt9ckuxBm}_tBT30a3i^T!H!)<07
z?DA>s3fBNbe*MEJQn(<%jy2ziY`6`8x`|}?c6UeP3Dx6bnbRb+#Jf&35bh6>wG!Tj
zStDplC4FGG!|b)N@7=t?dkg&4Zs7r_@h{$slsCYExHDF9(kN<}For7dM}#b9I3C$}
zYO%gqo`O_lCJ)RcW3tFf(m)bP9>p2%3Hdg39&@Pku7X5#IqfnENNiF=?49)K#N^Xp
zEos1;;uV8vJ>%$FMaUd;@+0YCIacyBojs1n#X2~?`5qq^<IAaj(}b_-sxOMA!Zm;W
z#ybYacp(oc=D__-Y!a{GIE!N_dF40otr=WTe%6GpUu-H2^k*%~y#9*Bek0d}eqWpu
zG247k{NpY^(`s>|h5Wi~l}~3lRGZIFQjc-Wi#C4W=x2?{*cVaG!3g|R81~Om2=)gA
z|Fy5tnGsGExF#(7vlc8ywD+Gmx_sW?t|=~|EP<-{e2j{MD!$29E@oMXI_8tF@Df{5
zkT+{xKf+cp&X4g3n>3$i%;c)s^WZ)bs{Zbk96BBrD9yo-f0XZ(COD|dgAY*;;!{Uh
z%&q7BR2f{D>Wf}YlmHc1mqRA``Z>FN`8t4@DJ4#Ql6|bMenYQ}a85s;Cy~udCr2oL
zGmp1k;<>!CO)G3D-%I+OPMtnyUFmc1a}^}3>UW<vr}KT~&B;t>6<&ziKb^ceBoCSJ
z%GkrD&FMU`v^i*G_E5ju)Ax;@q4(M&q>s9TzHV8j)f@K*z1CrC3I7LdOdI;xhcxB+
zKwhT$5ETenb<#IDM>zjC?nmP$FzJQO!zbhEbvu>Q^mO`%szwi(!N){a-`XGb^lleB
z!}RtK^$|jcdVkP8?Cl%luF+p67s}Jl;FEfDtwQpibj$n7+w%^ESR7sW#&~R--$?==
z>7){wd|GV_8H3JPZyARJ9f<c(H>`Fa=(yb)bUWy9Fjyx4RGrD^QD^emf3VPm%1L&x
zHZro^ba+C0nsaBx=)IDserogGw7))7MKnSJmy_SJV&e^YqExuXn$n}jnP(G5=HI`j
zT=Wx)1EqsoWfg|2<LJE^OgTx1{*czu2|jg+2mhw>Dlp)Hdo>>Ctl_KUK&9v9#uEGk
zKU9I}b00JV3D%V3$a9>BnC^=7$%+wBAbkkSTZHtF_*EVnUQ9hoiBQ5Xe_W8~Q-oM{
z{L&FrAW;`ovlia<Ar#)!;&>whDDfMS#wYYP8K2OCeZXoRjP(v^uzIgG>gq<T-PVo%
zA!@bujRUm5j84mOA!HkgX)jvSI1o2yi{P&k7_LT4%48*BZvZLph3ti9`VJ&sNcPMP
z&LcGQ@XJ#%DMjm(l4s<?ollRu>X6GC;;V!I!|}~aag!_2_veZ_@$`vj&z0!;lPwYa
zey$Q8jnu(xh4{IHgi6qEvAgCXhn@rVj&ZQI9V1B*uvdIbez{xLr=@6XVKKTqT$03~
z84eH`+75hk$iMGuRuD#im59p~8rpuU`Y9D6ycHB|+vD*zRKzYGL<yySV5G*b*20#p
z_e|R4w0fUzB?1y9{7IoYSw+2lzQz0^5xpf`KJIxJO(y}`Ef@F3XL~GCu<3!K=Dx*Y
z>Iun3dc`kO8ezyhJg^W$<1n{*EYcEfJJE;Oukjn^HK2IrE{R{;U>gA0q+XNiv>qIT
zh?mR$E>=&44razzd$yRJV<&y=6Xb@k?1@d31k9_f__a@;r;N%vcXX?lC?H>tzS;o+
zC?Xo}See#Kl=_E2IV&q6IaHZ)xxqE#iho7xc%LeZcJg)Zcs{qlNHmpA0q~j_eyBD>
z_>VkL#-Osukq7G2v?jDUUq<>Zan!G-VQHDkU%6QAVy|2wqJ6Pc8TNb^dwhi0$q_3<
z>A$fpau=WALl0PMmm0N*WD%k}`LytJK)!_^LZbs7k;fXyH};@yxbR&dng#4EK@dG+
z*^K013H9r6lj_%jG1@oLVM}ih3^<3QeWV}sNBer`u+!=Gj6<tywwF-9@Wy7(Q)<^a
zU4hfHlIEjm#Yp|7oxSht;0W8CFztJHG0)f7TB$09TPTZ<j|UgwTerO+rbjphwA%=^
z^wy{~(tGCqp?=st80oFHHSX_sx?RKQEJ2T0waU=rD}n7x6J=6%1W$%E1q{@rxfE%l
z(cu`i2S^{GRu7vjE&Z^2aHzLhhkdg%>UFLDGAC8MFnH6+A<i>iT#Y=VUY`nm&c%7w
z6k3@=d$5U*x~;Bmwp(MMP_wNcj$3UVe(834gTup7?{EnU<;qZsLeIp{Ih4uk5zUa8
ztVGQ)Qlaouv4l|P_;zDKo~Z@;z)wC#q^UXf7o-h#+xt(3t_ku)I{?S#J7x<24RxDc
z_K+fc)YjWHLJQLiH322dTeNuU&EYU6t-(65&DmU9-eKhvMR}K&PbTu>9&0|o?n%r0
zEW%6<+<=ybro8igT5OKwtq*81Qh;{IXC^OhGu(|vuI`&Ae&APLk73Zgp6j+PufmWx
zUnquRNHqM(B9PZ$ctkT(1qQ?9R~IQ3njsTT(w<@vhR=ni0Fxnfw)iS9XBf3iSD(Rw
zN={FlBvtgr&^h;K^70O!XQ0~(KsyYd!07H5y)CcP6YF&3br??JbU0RZGZ3mMdSPhw
zRnRiD+J300z$rEG^l&ccqb@@$tp3Q66F`??b~Z-38z{J$VRwdOhjiOj)avquRxoCl
zA-6j><>d^quz<e20z>Op1xmUMr<MYz-Gg`l-JGd<VTcXq|NifC>BX>W%cX0N3(xuW
zKwg2NGq8Mxc<jbK=)SjLX%RBjdP23aZ%pL1BCM)LV_5ZrYefZy)`_oxgQ3+5<jdA$
z2pzeGT-q~yA_e*N`F1vy7xT?XcO6v^457h|J(tg+&v5A)3M};*8fV_fb`*W^jY$ax
zLuBy9R#Z3;R#dt9_78<xuIGMLY?Cda8f^4($va@!Gsg;c7%<EPMo6*>f05T>==tK`
z&O^^J<lE7JliIZ<FW=`ND@4TLFa}1o_3pEIU)zD4-u5E~HLv9rI8NrSd{5i&@(R<D
zyaGeoO`w30p=+*SxqXJHk+0`Yl@rv$)m=GC_ZdmujMTjxMpe`ce88y*wi^ZY9x%LK
zt0e0I7kt?98R_bJUA}@Yl2h$LB>F<RLU6zk>;_}l{B)H%cfjy$smk}ct~r*Mb8XU|
zDCEWgL#`Lh$0{fe8E%6)_UF-k1@RxYc~S<&SciO{R^auJYm{G`oxZ$AgjdBHA968h
zD>nH<hS30&V}%$zWJpEf6ch?Y9gbMnG*p^6!`ehO-FAyJ`dA@J+bynxyRJe>Z!w(B
zZ8@Q}TRpC(+X@A`#g8-QTvdZ1?Qey=X}1{4j6H>(-->n){LHta4i}yZ1+L8xH@FMq
zZ+(uCd_!-yBMJHy)IpUzX!8@!wXY!9Hb3LcCkpKH1B}yAEiymBSe62J`~YJc$}SH0
zc~ez^V@@>>etubms<R%$SfE-Qeu4=Uh~TG}xe7*pbg=_F(7bEpYs%wwn;&7uwnC+A
z^An7zI)1eI0mk%|CqsUQ2?Eob&rH=&kvgL|qO`k_d{pocKg7&c>Rp>3VFFV%AAWop
z%Y|>7pI)$<tfLOnaT+)k`nsaFh(i~q$gou0#E&(AN2sgnk)eAwcY-{g<7b?ip*-^Q
z1I|>{2S4BhQ+p;q!nFAz=SHQpxA`f@_ofPr@?#F!2b9qAQ;sp2D9<?UUbNjy&Im7Y
zg#q!1qaS|3hj<1aobz4pMlMx5{M?XVsaK{F1JFkS@~=@sS4%a9uhA2HkIa%SI&M7y
zgZ8+!Z?+E1jy@h^gLcQ**A2@Y=)EzHeHgdRQF|GKHom51c5K-N^_!?D$Er=;9f(bv
z-BXi(9`%JFO<NSro<6KW-vQ*tX`Hmj;>C$<Lvb_OS^P!~4n2Ee_`Y$QY%g{kwSJL&
zV1U=XY-e5(VE5@xVl`@BT9%g%t-d+h-yiGUw$aynZDi>O2fahxFc9jD`t9zxzs#HK
z_})&&OXB@yRfZBTG2^};HB&`ssK!)rvt^hnYF&w`k}Fm-Rb{41x-?_2%0E0nE`FV7
z0~}oZP$|rD$gWd|#LuhJQ>DAa0nhWpGtoti2QNyzvWLVS@X<!{P=4H|u2?iFAN`%?
z^=mw9BtNnzo2Y*bEuz1t>hq7Zz9z6PepY9Q-=CqC$VW+I_I*cV9SHky+(GnF0&Ubm
z1TbE<cmVvDWL)~0wW10wDI>p{UV5bX^NyB~V)TJZ3z;^1p^|C8<OX|gVJ(>*JC1N1
zY*IxgKeQ4%c$|5dT5KTRTkSW8hRVqsFhyTc3IF{uR=#t>xl%K@O8TOAb`##LI6yse
zUuVx6MlH80N~cZxqtESvpe_=WPqty9;4&(C7r%L&T@=!%=dgIhTZ9*vaet~cU-x8-
ziI0#gZy+CnME%OD^JPx=Z`=}JY?-X=r(|XEx)zDe{+gcrzS>N*$^D4G6@*tj-g46O
zzJ#AB`%K3O0-k|Y6nmrq%c#b0IPvapz6a-1BM2J_F&5W)i)+2bifmr3kBwa>)=0JG
zC0-17p|A_0`j1$;mF4i%WGb_C!P8J0HUZh#H65oFwn&O)i>BW(G9H+**^0yy_-Kwz
zNG@&xB!`0s=_^v?K`f0u&?j_4NO+HTK<rD=oUZaC2Oe*@^^#I*4Jy-$LZ^z1yk{ZB
zKi7_hwPRuJSQwSpj)hV-tQ`vz<+Wp>tU~QrSUVQhj)h`{+OaUJHr0-Wvhv!oFkPW`
zEX>rX9Sdv6!rHO0b}XzN3zIc!$3jvo)%c1!7RF9h%nbcP3ql`1$i$6_yINzf5ofV^
zCrK#A+D6&Xgj)kvbj8zo^@WctpI%-XuM5)ToYp6ncyj3$C#H(8?ncC016!^=oL}-S
z3Ibz7dwJ*aA#qBfg-b69AJesjBnen<IxCJ=T=ABDy^KEdM1|NNLz&k~bgDY%-Q{Mu
zVpvb*w8~$iM}23&Tms_zfX8{u`2;UH`RDrXKvrDe9SAk*yMwq+eRm+MQr{h<Yt?rL
zsS5SoL49{n-yMh*>bnD3mHO^LQlq{*$W*EC4$?L1yMy}ffLBnI*LMf?-N99Tcc7^B
zJ>DJ6+2eGnhpnikl>QsPED{?)cUcDM<TE9^T72aYTRY>M2N>}x@2-Fa0PzI=q~ZhF
z_!9>53|vpZCf=@X;<ZgYV<m}B>$Oe1wu!%}ZQ_#h+9sZ@P}{^4)oPnKDXwke@@=xV
ziPtvq+9qDx#N+bXCZ4WQ+r-5)OKlTZRH$v@*&4M?ytawgHt`?DCNAdS8ZkR`_{i+z
zxiCHfTX{>!!B-p0YhyVxpG3#_+E`v2%U{&Sa!Gk@EYDV`jpd1IwXvKO*T!=BHd!0X
zYh!tBEU%5_ad~YlPuHl8<>Hy8HkK<Y)W-5`joMgV8_R2B`S)Zj-%?r1*?SX@&N`lf
z>+W+h{R;iAoqU};z^gucQwW=?FA#7NAoSE?Ib+-qv`t6H`B`v^oWEeqk>`CO@c)m%
zoT8aQYEHv&9z5UMo7mxWF>1nIx%ZYszjrhT7B&g|`Y8in=UoMRBgY%<&5Quhv`4!n
zbHjyAn)&|j%H7)iNlX23WB%52ZL8gE$!bu9o?5ud<uxcH*gPL>HzM5eH>OUl#?EJ1
z4=l~jE$)G%V=GndF7fwWvX^hE%H(PS_ZH!&`95CV)9mWv<onk)$jM+2NXf8Z88U!w
z8FTwnjEzpK)6rXP{C{&FUEAm;+X9mVL5u0RIC)e2!jgcV#?EddUdZM-KB9o&j-YJp
zvepg0oO)wdb6_pE11z?;Q#i*pPOT2<wy^_0S)6adbO9fsjRF8KjXfwAUT(wi|N4!0
z{3p77aq2jWneAbEJ-LSE3OHOpYmPVZUfT}B>8N<UH}I_)Tu*-1gkE19X~6pUSuvdG
z$Qx^zQ2`tcq!wEX4UW+^+r(@azT<}!#yE))BBSDW7C@)~6OL{*HdYe`fwjZj9lSzw
z<XWJ{L$@!^Z-Mk@&G#cL*DgQPY9K^h_|x+X>az7cof#7p@aakFF<yBAjM8lVtPv^3
zu|U%=VgA-)bcIY5d_eGD`x>1Y;Z#H~u1?tVXDwKaXn#L*{P?`)T~k~x34a0E0m9@Q
z8c~a!GwHovw&{?!J?1r3UEo*laBDv60wE)Vk8z!91S(ymge;7I?l}tuf&@-wC_Oif
zb9qITv>OJje=6lNP46Ut8;fx2`6|FUNXC2)Y8OaID!+nXZAR;`0hAjjSj;h}6b;1Y
zE}u8-7`9Ugj<hL=89d1?*r-F$CFGT0&;5cc@lEdL=B6q1yvOFi|1CFhOJHl&?CG{o
zmSOAY-77hCCN_`2T0^BvNqKe$id%{t#4tQ057-Q;@Ejh$k&a1PbK-r)gj#mmim6wI
z2~+$lQ6`oHDy}YvO!D<}cIoo>df~6QtuSYhZ{`;e&3~#nomcrJ7c>#`vht*$;f>$%
z-CWiZ7s{Iz$_k+gTbXmBp$Wit@s1*?xP)NlP5)HO<t@tw&BC~iCY;t=aQ%+%W~a>h
zKJz_mVdg=Xu9ybWUcPCC&EzMM!Wczyu31HgWFT@)KZwA~>X2Q%)syLvvF<3D1Mm2J
zj!e8rT@eLajz`Y{(xoG?>by##9hH{Bdp9BFwl0b92L?G-<hT9!*G5?c;dG^P1$YNP
znWol&`HEA1!u_b2DPGgh(X<r0Zd%7>auBnF;~7?P9vYxya_*o{e{p?{YkFF@*-P>z
z?2;~Doz#xQ&vN1}N53>@h6@v$!5o{$zZO2CJ02+u_ByThAtjPMSRu!|oe88xw8MWS
zWHo0(g{({QK{u^b3D3ad2_*KGt*D=D5vPbCvqzRVoh7J+oLF-XQ<BL<!Y(tNRX8GQ
z&v(3F3YxT4;$#TN!UI^aY|ZF&S?1VvF|`AYPf>H=*yCgRC!Yw7YA`T9Jn=IIH8hd8
z=kT+26sMV!boJ9<iS3{(*$$!(@FSl%vo5k;(YbG>+yviwA;P^xeuAKG&G-YRrC#jg
zD2Vu1BMf|X<?6bAMf@?7=v)MVN#5${?35fm$0#(X5q{yo8iLjvB=H*Hew*^=_&Q0~
z$aV&1anf%<<xMz8#t;65#)v)AXpGLIuOoXhK{O39R+l+`*z4~-3w6x)VOQ_$?<2i8
zK0x}x!KklyOv5nSgZ%;Oj7VD(i7$Cy7^A4i3&WqFF!>mCRQM*!ILvXZMe?3K!nha-
zJ*4M^``~jDA7*ULzb2otKN$4}=7DADt^Ky4_eNGvKeW07z1`{UTL=5_)9S2wBB$;(
z&bvHOPNrRHGD%w?St}rp!xV9J@`!_T#P9ee?ubIjyWElO5?MC!g;jCPlAgJ9AI^6X
z6AXdw=YSMM9CLp^xrjInnC7mLuonx@-e;Oq%ku16hXbT@E9oA#Q|?bn{dhA~*gi?z
zdmH%q@&@5dJ8(U`Gl#d?QJcOUd>PW5=(jtp`xs#SEP4PN?l8c@6<eBKNQM>rX!?d5
zc(WVW2%1sNOgG%X&VR72o7%dDz%nK*2+X6>Sn;pJY-j1=7IO<*?1x5JX$)*r9L8-~
zr#o5ed}M#8WMwU=6nKm2?_kht;h(#E$j=^A|HQYg)PvZbAO3dBMI_M2pNNyUWG(0%
zp~-vSA~y*g%EYVpLJ*dIn>LtwH@|tT(%5hUl+4~v5C<Zo#f1s5F)%wp&!@;NO8bfg
zT=a-GmxSat9TuBm%MMQd1_WMs6q}LY?4<Ux4-rK?5rM_cDv@Lwp7Tc#tRYCL;qe<H
zd<ep^wK#FFMa<Gy{3V2Tru<6uf5!sO`VYW$ePvJ`O|&f<Ah^4`6WrYi?(TkYclU!k
z3GVI(2<}es;O_1&kMF*J_tl%Jny#7M)z#HgT{C<2>a}QC(n!v0wgcG-){$^K607<R
z<fqTz|4_bSIEZ_ryzU=HVS|aG1ixhi;(?<mE6}SQ*Hh-FYy>GI<Pc&i=mV~5-rCbw
zE;knOh$HRj+8w`I17q%Kd&WzXJyxi@DB`zge2fZPU`y=2{f>7({>Nn%d=-NB_nI@&
zPoP(SLUJVF{F#k>VZX0gj1%8sstKG`t?7QZbk8ze%m{)qX_~JoemHBnMnHE$p*|7g
z`3uD&+)-HZ@bD-msym$6jCYIk@vQo|W<g!ur)N_xB3#2pAB0@ly>^%6>6Ju$LHvA~
zF~`K?8`K+KLA|H4!O4}Ab{S)zwNx*FG?^^MKb+k_9xL`FO4Y{T`Xlr)P>6Yp2e2`7
zDTKd;ecGpW7I}o(hhQ$7fHZInAlQQ5f6T&Hp7RO#pwZfX-QfL(nei=`ygsuRnLMB+
zP^9Vj)|lQ+a8Hj~=kvtHgt9(ptsVvt>fjvC_P3%daYyp8>}YmIdW7qp&~@#)&#BJj
zHS3LDC$E669_HV)OSY~aUx~uGz%zv%4#^Ildu*!JS*G{YCswECHS)*ne1Wl3y+QUJ
z%_PtC_fz3-0R-P~Ra4Agg~}iT9YU}cQo&ZvKDaaDG^0gY1$`B=<`L>C#F_%s!du<s
z`!E-{np=+rSS8slC=YrjOS%qO>8Re+bBX3Ul8mFL{MIa+FkfsA(pp$3`ZHGD*d+;L
z>%G|}J$7esWV)Np$ygV6?e3%@SXP$7fYJyQ0<SlPEJ;?K=~@Wo@VXr7hU(a-F@s96
zO2Z}?K-FOr{st`|L2O&x_{eK}+_)AaQ(=2%D?%pu#f=lLH3|KIdC@P8C9SUXR-gf4
zdVNhR@bMxu-XegcAFgyWKuz-UHF|913$6G6LhBpK5U^71+pl0^WF30opplGLn(eHl
z9OAcH-Rw-meMW?1Hz2>+lqp$S?S{#zf(OdRK>n~8!iLi73&PE^=0^G$LU#TME3B+a
zZcIqC>}vx>p&2OSmvWtm`FY$Hc%6ymLVs~<Ve?DXxsI|hp(KY>6f7_-i`{;2?HB3B
zXsn$)N>%1I6cG~X%+mMdQ`xl?{4*4uElyQqND$w{ULyJHDBpZP1e>EP-0wP=zk`*=
zr0iyEC&;|({+dE(1i*U(pS4-!hu0E+&q&GYYvTZbD{>iX^#l#-kzQB{yyz}{!BX^|
z&5Tx5hTz#2<cp6n<mS-gz*5$G?B0b*o!++MRj#Rtr;t-M59kri>d1U+0c+ApT!mer
z`|YP7_>$`1XuMB<XVe9QCxyH07+<n2+OP?Ec1jl2@_-OYa1^g;SLIfi&<2=&F&&pk
zU1YJ`@cpZcwj?JxHqk`mE3!*)+m#wvXc6X!m$=pJ^DX4n;E-8E)x9oKuYaZ(jECNv
z_EFm$goRv3L^`j3oUDkB1lW&GVaT5v*>DIibYadfJdGGd5T5$B#8NyW7~K@>=Uch=
zk45Y~e_*4k3Q%tiysf|hypMw~gq5c+?lCAk?WL5_On>Ol9ursKA?gTxBLLCjbMv7T
zYxYWo=$0+4Ck@p%u}E&*Tg>4MLWrStJZP<RTlvlgKu;KM{0Tc=I&k0BRUumExbjon
zX*gWcHv09-)9s5WO8m=N3=HoJvuBVzJAw7s*z+i<)~}9LH<obvRWyQK3tWk!C+95l
z%zg1Bv$~>KB1-KdCfoC7&wR2%`xkK77P&sios$bdan5iwWYENRuOQi!bd>Iy-&R?M
zK;!(4d&|}z#AJnt1KX=SR6v1;mkb}BQ(67wf5<_?7#Hyy+^mXIO@0*phfR_}aN@7U
z8|+rX1!#LR&j^-BJSIna)O+*(!6~}fzt#}cp~uX6RXRL_6wg5m^EMT}bZX_UO{q%e
ztO%(i7AF~3p#%J+cXSMi&b%as===rQ<hca>;ldwGBq-iozMHLtykEO&=j>+p8c^$O
zddv}X7Xc`TL6sAyf-)C7>o-nB^e*P6RKo-E!rVe&LW~v{y5#J%>LtojFHt(En2ax1
z2Cj6lr7W@Khgu?UxZO8>h1I(^n|=kQJ2TI2VCAphV`Ia_NFP!8_~9FMGQhA;fsIEk
zi|Z{9gzZPA1nxgA#GinZ+4E=j*9he#nhG!ccfyKwM1PCg@w1t_$Qv?WhYK?<Vz;Hl
zTMlGgEQntoMV3<XX){K*A%h0!7@q9yOI?gfDYM<3dHuk!DB3kR&9X-RnL6Ri)RHQ4
z%W)aP#P+Y9EK?3o`Z7q2H^(eSLq(IH&6+*6?5{}5iLO`__C|Sf9;lWxiGiZzD<y?b
zrIli>Qcc%ns<5l|t&^-p*X<iu{rKr#s4&qam6sMaAYH#vtuW30)Jp#L5D7?~QCOmS
zIBHIYDRCgy?nc$Vnr5%LBlj<0pQ13t#Iuwio8z9-v%zCd+8#O=NPIlG;q%Hc-xEo8
zvbz(;S6$#E$fnS`Ci+x<L@q%UDFs%y#?3!<;OhnysMz!L6_?(Uk3)<h@0j=qvLA7=
zx~IXn$45`zG(ckJxPC^ajLwVXQ3}EARe;Xb)paS^#V@>a&{teecK>=8<*L|S${r6A
zi{BcXRK@w8xQGCNBbdYbKh&;iJoXn3BdNIHSC92#hT6tyj?TWvB=Q6QI1+@d*|uP4
zbkNkQss(EUp_A8>xqZxG44b&V-Pvx~tb!^h0mJpjqELLcX^wYUZ*=}enf^v!$#ths
zNLvQdA=L_er0rvZ!GKBtoJ>p)m!TGSW~NwaepMuWr;&p*I~pAAQA_^PxRSUyh9MN9
zZ$Cmy0Oezw#H0a0teO6F(__Ss*?)l>T>W4SRt}TA{+xO@?#YMDb7pqs=L2fWp8i?M
z{uyj{Up9K;-ThG|p}6Cqh<WP^BYitV&|D>>vw-YI6bTPOm~o_fSc<r^*tvhp!a07L
zpd{9;PlTTsG2$2cSm(XI*t@mm*b$I%qrJ73U=kjBzY~n_y0OGWST^3Or!v)CD2Ndt
zZ$e3gX&N?G{I#HI{LJ&$BvW<&Ag?*ia+Mg8Jl87@(G5*GYEM<2lgXypo~a}-;O|ep
z(3#SSe)awU%twb#pOwwF32sWHs3o2_3vvIS`0XQo43&^RSR=O)Pu0W|tssF7jS*m(
zv#I9LrjsH2YI*EAGVBK#yYk5T(n?RV{MC9nlv3;1G}uLZ*ql2_1kj^}T@T6yJYGwg
z9JvBe+I4Ye6D_kn7UjU#ad4!8zkK0-BGT$^3o5ks@yTQQ#J+;ADKJ(pvnxC(g4<_9
zbambm^FS>y(megz*n^QZncbn~8WLJi8lP&OLVh!#^7DeYPVwmh)s1!C3jl##aRB3-
zp3+)ASUiXE4@LaKqnNsANv>payfqq6qXQatjIPR4#uN3k^qEH!c?2xTPcCoD5gf)J
zbTzv7_jzlN%MhC7EQ6mFg4-U#2a&o^RB0A*k@YFbiq@)IutRIeP6?H*RfZA_;}US7
zyk{@-vZBt^QdFda?U^+mdALc_v*MN~ahSQ;6o0+6SsBUHVgfg+U&pR){znJ@T!_}8
zj!vPw-uU-as(Ci)s7+)p#WMkgIQSIHP8$W?A++5hP^j1&acMWzq}yqq(D>Ap<GL8@
zx%fJhf~SAE3EW1AfRr2{4Sd!jFJ#O@Fa`fvW36&2FB7s2Jdib`dZl`0BelI^l$>qY
z9Qa&bu*#8mh<$Wj&g<U72iFNIy^>jkSgOk-BPvfvbmmKWD!k_LQ6$-$kGduyP$7~;
zTkEd4%T5AW6+asvXKDKuiTk-Z{4-T=iOwpaWS@-n09Y<s{fR^fVl$Jm;y*?~O{ApP
zP&HG_&%p6$j;|q%?!q+3+x=<OYF9|=bxLX1{!{+b8pW-Y%7#Z-D*6docA?@~2(jUU
zZsA2F>dc)Oa_`^q`N^I8mukbQ9e-zb#)oP4=(&c%%9ZrZx?98Z1<hEK+E~h)s|Q)u
zCFOE9JDYSfzib85V)~f^hiLX$jnQx3<#loycPWXLkb}lTl0e~V^rd2ap&2Om&Pj^8
zWJ($x!61FSk?(M4vtPUjEJem3!fu84I!6?B=9Sp&k|&Prl^T6&kglRh`}Wu0djCIA
zygkA&t^p3475vH373R+6_y>CKL%0;+2LcSURNi$rB;x1$yICJSmBeD*J1py-InCin
zP%8FwvDp~^b5+F7p)_j?r6mLItA}%ZOrrPqaVwF>Bq;C7FKVCX72gAD$vSNN3J+h7
zZE2pg_R?FZi;4Ab?WQ^5!Z!$*mhQk0b6#(o;q8dRviQhtvT(9Diqr3Hp7kuVM`C8n
zcmqu2HxDzx>)}X>BO>TR{o6KcR8mN}d!!O4>uAnectvQ9Fe@(Pe->HF&Ka*J^945L
z`CkNLP5pibOWSh)v4dEJn7e5(gU9jXzMtV<hUntF)`Wm)JUt$Yb*gkyz|B(iy~a9Y
zb#!lQO~iMDRWW#l{cw{H&TfnmIjwFu!OiPwbUwYdT!dpI8#fq10^7R_y8f2XX%f!2
zV*45&d_o;YKbh3kiS7Ed35WC!FC16pvq<L57)Hg2i$MVu`Wvohdn;r+;r^g8#Rg8D
zhraJ9UQc8*8UcH(KP*jd)OqsF1xsf(aWtPn+JVtJTm6AD1Q3>iC%<6kcmttCH$B=c
zQe@V~l*r>|mnUmpi+%o)r&`0tFwwW#;s_i>qF6|?0gw;VSyk98{2_suCu$`Bf%Ki6
zRoM-PoIbp;wsmihRlMuu20b$ikA{_LDLgtqk*TBV-Y-8=pDKM=iK2`vs9>&fpC{yu
z?d_iEqPK`u4mL+`rVaaqFS3l2@?5T!j;4;JC-{-1!mp>wnO}!%7RpM=V9J2d7ILZO
zX_ZSM!^2~R!kr8$pJF@3jk?<<k|gpz6qBSi2{sLad;r<24TaF4uBN!lm_`sjkh7!f
z7mTr@EOBjvOrgufYH?4E#e>1MFUip>+`ML86tfSLY3Cy7CfLazLD$PJ!CYR0YlMjr
zZ8lsdRa~ooxoz5B*B?z8`y9gOVobkA1WeHH)uFWKW3~Le+qUU52lg_E82wb%?o&O9
z%y#Ly>%5z=nC0?q>tR#z>N7<KLf(jA$1Ilp?7C!|>-e!iYPT6)u|Iy`5-$F4GK>#B
z4sbB&Xv>xZhmU3;enzU6*kyB8F2~S9bJu}l=}A8DFQ1TMTkDJ)JEgX6{`^<&wi0W{
z(-EP^=SDyR)5QN%Hz2uIs8lWrri%WDt7+-nk;Ke_2@;Ij{B&q9|1jQ^RYIWa8r3H@
z94k7PRUFEc2h~!mzH6hI<`537{!x_J#QFZs#Zv@TtpdVvgMCJRmn)a{Yv+vy$&fd@
z-|7Nr&b2{oZJEq$mk#y)9G0nb{!S6hkIMVyCaryjrCo;MoXWEO7m_oumcV^?be;?L
z9#PaUB=6)bYLkRwuNT=RRtZt6UTqC3IPSmgr18j7_v+*1Z8nKkZRPE8Q0NX<W5ui#
z_Y33UwFa}pj@*$O;|p?@&6U`2OO*zlYP?wvdnd)eWkT<D3_HIvKEuv=O=fz7&J+x|
z|H5^mj869jS>p2&r8f(5gG~QOz;Ztp<XW~)iggV;tFBM>-#vl1{0onavM;8H?VFE&
za+<Wg?e~5$5A84vjwj(cLr=vw(BG%R`&T79Ku(4}sg(lPF~r`$M`M`@=2)|#m?mw5
z)&dm0^SNdw{5N?2)^K9w>&w1z{Q2nIF4eMWO!g6XF%=S+RNex4yj-@2kE%+cWXJZb
zQ{#5TVo_44K>T?R4x4}>?Ju^9<b(tX3n7eSK<t(SHN_A72fcm^0;?U77Cf(i`nN+X
zWIckErIvWj<NPDVJ;Wr2C-gxtvUy!-PZz=8{h`EaT30u^yM4=NY(vh&5kb}hMC{8x
zKbG7z*_LE`3>J)ZWm+~PdqHcN(f2y|0QjMDL{M|DyF`ecOk!O{FKE8p15UO2`&(Iz
zy}7F0e`EEM(^U@AG^#jXC|TjivWX|G<(xlIBK|9U=ZA0OBRjhO+KbpMg}03oqXkfe
z1Z_)GC3G7mDiFoQf~?U>T9(xCoY?@GKx&C&1sifxJF^sbHGEuKa?>>rJF|&(hKq%v
z45AJYhhR$ekLu`PR(EF5(1s02^6Sm6;L(?t;@5Me@nO{&*y@`0ayM7kgE(reY#C_L
zzNl~v-0h6U)@tCyr7|@D>#C)FJgCjN7WM~thS>L&*;YxpUHZ^?vws89SB1K`b1B1k
z58V#*riQeQuR^V<KaP>;9LH3c@=accO`My^GW;ELr~44*5l+`ebj(buvy^lys~eit
zL7=fkjpd_5IO^cCWCDJ&#^y42eqaEA7S^WyKKy*~xF50X@zJE^qSm4%EwHm<{m*QW
zCAs^lGmQMAtz8QfPAN$DpZh81`68u6AMe>>@dTKhR;{{f<ewu=kb&lzGvdzWv2HC4
z^x~<AU8h0e{fjTEk=ol;+9~@&eR#;_s<VKS?74_t8y3Sqpj=v$ZsTJ7kOiTVCtmRc
zXw5)(D8wDElJT`Xwx#(R#JRCJw0cy^xe-10^&sh57S~}n`_=eo3*}HPVhcX!T8W#_
zwEg9vBcIl!BR#l}dcPf|UjTXds`DYkS8rPxaY{MY7Q<ID5nKN2EkaA!;T9zjM0Zul
z^er_OgxRhaa^zzpsoT**{`WPBa}tCuxwyhz$>{KV@OA#`zK_z^nLStPQ12W_`uSQv
z<m|lTU{Z4KOIv9x`sM(~ZNf@jh@@);VEBENyv=ar6;t3Th$p7Ibl<>Ba@cl@BBY(g
z7~izVibocq6q4WMk(BIM<BZJWDaZir6EDFr+$=f~J|Ef1objLBlBD!6?u`-0-@0}p
z0Q{^owOpa}#@*!Y(||7TmTTNC5l3$&oI0}5OCdb~!5_A1mnO&WrSgG_rr&CW;RU$o
zmJAaXPu(g--aq;;`{y+ABVIjGLpKnfV})<uqQ3pIrlg6VQiur1dAp1af!nn*R60;E
zGTE9^j1&3|@PGc{3(o47qU^p<VK=3&>P)m$14h!vgu0y0gx>BTYh=N!4uZ%WkhxDv
zl}(Bp!d=$G#Y)IT8Yh`}+%|8|`V~2vqo&G~YG!wIOt%ge8d}791*NKu-c0KvduZ_)
zW#5R1lRKjOTeUBdv*3>2I(?yat0)3JHtHaAi1J@a<fwyB=_p-D!JMPecwIl|#qQDh
z6)PUF0(<f8Mx|!H^O_1IGv8XjyI#~(%RmuZ<s>C6R<uCJF5)()^*jN=H@+bJiN>J>
z{y?Eta1$A@=$ZKTp9;VTjJy-ziEXsFeqsOyCd56?T5*0?r9jGC{}(rgo@{*rnX)xk
zZ+e*CymQZo2bNW@(RH+-&o9*O)Yzc$ouH$E#%D5d2LY2Ejo_3P>r^MAJZEoa+PU#6
z0Y20;z1Opx>%8#*BD@;&r^TyDn9Me2GAM)E3^X!Z^6aD1GgZ^D0h5fL)?NwMWUMig
zU;l%$GW{0Tii_boJkP&#Vzc0Y|L7TRf#1Z5x4Z2;P0**j!&Wh6Ji6MLbjX{?Wt6OI
zBSNingmkv91~>_F_?q>`VR9+OZWW*~A0-~s)W%4*xP-VnhyG1JBuNLT?u?4kHKMO2
z;+8Anka+3)DEOw&M*Q^W7s#CKUnSq<vfp1^<G9T=;?I~Az)s!m#B!=iOvp%i#NeH!
z!ewE{zz&+G)ub)~nUiV`KWrY>?T&i5HBc`bdn>9bz+J|H@ot7`rf*4ION;qidWT5v
zLyML;yOBjDD8;dV+aJ7Xm8Lf!mT~mGA~lBd$iLaK1<`dfQ!8*MVMa~qw1`AnNP#nS
z$H+=swXL(zX&k50R@2BtWLE2SrB}XaoOO-<Fw?bcHl`3QVc;_tHyT3DO9-L4F@U@=
z<GuDqjctQ+eXAExKBs3<?^PAKn8<hDkMxWL$bel2coqg$=g($CBJEDp;KX!kx_0wA
zG2ST2J0AGtTY68yo0z|AYn@;ZHi4Da=6Wd}!Y^%g??{exg8cptrfG7QL+|l@&#Ho4
z3wMLS=bZOA1N+3HVK^8^rvqZp$HZnIVB_pH+_%Zpk*ykE$IlCu4*co(c)EDnxqENF
z-5&jPa=N)7@F(==eGdF&tQY+Ba8R9oyZ`9Vr6vw17VK*0_VZDJz`(YBw}n2aP2QYR
zWL5~j-00@T?c(+FyStv0z+7|HISo5JIy=L_I(ighnu@p@AB>21P~6ZbF!nXZH^Q~Q
znZbD;;g|uvCD<`DKhP|&a=@2iMT?{lPKXm`OrK}brZXcaj9lGEJUT>JN(~1Py&HsU
zJWT=}*4U}tx%GiqB$CUi-`moSvGKfF2D<=0;@-z=^*l`G#IE)XGqrp^Z=C!~=o6ei
zZ*jCsg;bj(?v0veYs%`L=g-QelL5=O_a<C_G-<>%3YH_Ypo*!3Qnz|rVAYL-OxISv
z!~q~NMM%RZn)~}EKQV*yHD+Ul`_JANzzZa`IDRJ8=CW;?AqkXFx9ysl@1ew1J$4Cz
zkCv+0lX>-GUXyh7s{iCz6-V9*h2foNmDj&hZ)Hz2mOg14lgAwvBpZedSwf1GG1)D>
zi*SqIvoVd6Z*7XFkmSQ|w;`74-BWlmSj1-Co}g);rG`|y)gc%IJU?$l?G({_Qe!<6
z)-5(;n|ys|u}#jyv_|3U69(Bf!oMSFdg7<Gc{AK`00Vz&{_M}Xr)5}g3O0I?p=hE$
zBVQ`_gZj5mUKSu)GgV;T70}Y7;O#Tz2ETVibBazQavZ)6@guZ*8@loW?J3#_`{4bD
zu>UgdM{xDG3{}IAmze$S{ebcuV`0k-_`%0RFWNWtmCdnJq!&PdF&|(S12}%4!i^fG
zdQjTO$l>*l_7L-v7ZZl1Fz(*HL02hI5*6usR1{qZMb72zupGKiX-O^#<j>S9!@OUU
z>gb_1pe5zPw{&~u#tDHS%kLb%ECU-78J098>U8*noTPpXTKZ^@l$2bcIo2y|!9c_3
z$BvxdF$gBL#<dZ`GP&hX*i3>9H2-mO#&RhJHJ~T*<jTs@4!)n=!C{TR>6kKg{FT^K
zoA0rqiZ*^0ZTwGd%R}+_pAvJY;wOcRgCq-jPeE9-?38rYAB|WJK?y|MAkP{Mxb46d
zt9H)*(iDHX93?Y8c74C?vp!EwvPhioqsx@R6h7hBrhL*nb(CMc8;dAv>M=ZZ#-IXg
zPvhrG*yB{Vzii2nnxXBa-MR!x6tLz-P<B)$R3sg=(~U1XgYJhhEDjfVh^`~miAuNM
zZN7IrR*rb@sIa>;CF^i01QDnAXBs#WiU;h;@JmO1M+RFMY233{*<nB&#>G8I-|nNP
znm4R(9RBh8G~)sCn0MTd72xWly@;<ID2(RO8=K2f7Cw9PL@IT0=l=KKQt$PqxfRP{
zbl?Jmm<K=t<Zq5}i~oj*Gu2DpjYqE|)kRz5h#_-yQY53}Gi;XQVMXd6Ijw}H3ps3+
z-cB)y?e9}wtYi?gLyU<{LnG~U>>0h^u)XvtD%NGbj~dwR7(Ya+q91mpAUB;s$Afab
z<!hV;tF3J~_(bgk|C>)a$a9xAV28~h3Mi2*xltu6D}Qvs-!TbJ$3Yl>p$*;q4DBn3
zq6I}ZoWF~{i}`l5V`Gb;+bGCs0djfOgY>eB_kFcQq}FX%A9bk~`h02Ryzw;(KGgB~
zP>1Iq1~nx@s@xt{RzoaZA%!AX{SrDO9%+;0E<E6camQ|KR^%2p6eG;~xptTZhfi=L
z7qsKU1%>ciE<WQq7(p0(`s~)d{az?w=ye8aFTwV><k0iuHURi1+n~}-ktOGkDKoq&
z7L94(r-!0&=e7M<4?EGXgHF;D#)h$8b{qf!RT3YI*s&`LLZs;gB$PnIrekiKe#Jsv
z2W#<~f!it`=wF?aj7PtBrK}q{Ks`XO!_OrVUdu){=#7^QlBV01RIT#;MV?#fmaw6I
z4ru*yK{;CcB6rkn7NrpYS32h27w+<yWYN&f{=4QPz0*;rEd-v=HO<y*DyfWVK}&iW
zyCq`tEqy#YhjTb9n>8YOSn<raIZniedGF#!l9zhX)1LKFfIjC_**H;jWlU~y*nVBR
zjFWa0!e0a-;r>tV0A{&Fv;`gil5CiDoRPB+a;<x)sh{?tXIIv~?aH36wtGa=<fbMU
z*ByN`#UtOd%HXN*cnAvRvR$|lz9AVgYUFG&2+@a=%(#??;94si$8|tQaS^TDCLx;C
z-B@udcc(0&owUObk80vP$48$H<`URuu~?*_K1U2e`0+QfBFQER+N$M%s}!bKKrYs>
zvemgi)z8T?Ht4z@mlQ9C#a=^WW@ZyZRW*FezX#K3usDVjUw)*&Vl7RKw$;Qfr94gF
z{&dcuuTh1lRsTT;5Lpm+!%WoBYKDz^F4LY0t|#h$wf##>*8e;0kNvf;ihB8Jtag}I
ze9Xe;H$gGS$ud$GW}|EjeZoXpDVLiO<s-y$1R59Hgbeuet-eD0s4!}QSx_jQ+{ty}
z3f$zX;Sd8U4jxp0P%(d?)Z$KidbfYS4;fE^M91`#FAR*M?Q_n~@Tj#E!c_6=E^-XD
z_gsO2W*rvIveBTa`Oek@_f(Q>0kh>&ne<Juf<30ZBSiKk>aR@a8BKjbj+&LQ)934_
zr@g&}(MtK+!}>!VFNGgPDrRXaUlZbpKA@I{m^NIusTxZf1n0M0Hn7ogUm3C{!@bV5
z1alL2eOH>Qo6~YzGl!*aqsco=Vc9B%_R6{TF~3aPO$fKae!3hc+d7xvjj3lN{jOrq
zQJ?EUnU43Snn#ZbC<2>K>B8Y0zGW`c@57ClZ@+Sk=ib=S#Iye5%QLd`8BU9p9u?tq
zDt@VgOgF{e)7(QL0x|{*--g~a{WEP#Ord&XDjA`i2XEavME?^|s|6Y4{L$f-SXt^9
zIV3^x;NY9K$g8sk@li3aFFoOMneH))s?14n;la(t7|xSV8UGDf{?+|vzSliL%v?<@
zzA9#VSfht5RU=`5Tc;(AAs7dF0`AUu$DZW)UEwfmyO5Fu&6N#FN${mi1Wl8{AaM>C
ziHAcE&8*`d$+V>hPgQ&|@o>@2@{$p$%1`Z2l6RvYf4JuYN3Uu(a)slF=YU7<SB~yu
zZdXn}BDCaWUOwb7vTW9<nU3GOOSfoB{Gq23-OK64L_16vzpbU>o9JOUob*;WH^*yX
zQ#`2LXP>w@j>ZhDLN7_nle}6kzN{<PeJ%0s{eu3+ho*lpHmZ&*Q75<2n2_u{>7Q&a
zPYZ;i#fDMwq-;oy)TZgsj*m0Y&FmRZN))TG;<Qf4FgxNt0+gfh<p1U1p5L?tIGArl
z#!WufRYZH%?Q1sa5u7G#Pl}hlP>D;Q$Z>ww^HOt-4@@E-C`UF?IHglS=(6UQW;@sk
z{GGWen_$&m<UJj4C^-pOps=lA^7LmDT;IQ~ESD_1t;7W0n(k>P4}mAQH0rCKYcxVb
z5NR!Orex)+Fw^}KOh7K$D=w%q^?F@FqwP`gO!iIP!<)q3>NAXrw0HYMm=`^bI;!wW
z7`8&aXLB5?c1%EAP9T7-$~XN4;D8~PblhQx^@yQt{9;+<ZClPoQvPe1EO++?RXXv-
zS+u4}p0l>E;6#*Jfhx`Ij^@b-*|%9t{!-~|{bH_>Ez+cdN}8(RhfIur>w6pJuf;Hu
znqX}9;O%b&I<qO}J>f-XUh~S%to?3JuB`4%pJc}}PA9KnzFUrDICs$Z#G4R<m$=)h
zx(4T*Np690=nUiJs6nOS=a!A=%#w1HF)Up*uYF5YbV0Y??PhE#&n|k&YwH@J6i#sm
zQjvx*uL((!!@lEjCab;i2rz2RXewW@EO(3;E5+Q#Sl4;Xwns-s8lBh682s|WqC`yY
zzzM`oj0U_KUadQ^i!2wr3}8txg8gRCB?#Nw#iXYpKI|EVU8Twxnx9*>>zwPdYR*ai
zd=;7#A7Yj_J0-c!EAWVHb7Udpm|KN2wrMzMJNMfoAs4>n=UI?TDLoZ8`Ih;iOfhO^
zrw0vIl#prYb<tV1rZ9e3#EvDmo5Y)bl#~VFP5%<HRVhMMr-0NGbg{x~_?{^?Cr@9t
zCKOe47s?jlemaqFJ5CU7NU|6J2^ECKKl9hP{afluyCUg|yzLIY3@Kgz`R*j8j^*`y
zlaCKaTWk98y;%cY+woAtuf=2eXM&Tv5}oXgCIyEV)5G4XxnKV2<1c%&znC)9?{YL6
z6=+|~RHHvQBrc|LKAfDKI0s5hFha%n0uANO43o>IM3sc5El%*U{QrjJN*hkrGQ?qV
z`vlbZb1C>70nuC@)&R!x;NP67Bi}IJrxyOD&?982{sDRZn`PI}sK6lpd_ETPj+!)V
z#qJ7Pcn@Go$i)^{v7}#j1kKK?tcihCXeFkhINXim0mDcRo9$EQhHn+O&6krnKt~lV
z?k{x#PT^((Z9zTfJdQa&cnXFer*CV*n|yp~h5ZpbSjpl^{tfSr#@vS^-Jnz=v7%&5
z&jMD{4_F4(R9SzsxTKjAvFk}#*G;Q@rVbxt66o3wSOA&f3vni{Gu)N2M>09V%A4_a
z-oKmxW}xx_PzWLdW4b?nf=)v1*=UWGV-0R6#yz<IQ{DuT54jQhGwQ;I5x7{@TnDpN
zqF3R!lzoWl?C>MzUx(`LRN-DWRBBDKrkTa!L<_GDC@!tK(EQYDS^dBHPRRHgT43Ie
zAD1@S3f`E8X@a1pU&XAW!68b>sLP`8b&(nu{IJqykU?0bL<N>##kj#tWVzCyZCgR^
z?qnd5SCqs8!L+jucN~=s3x}&CA`?=><cmT`ey|;p8&H$DooFo+Gi$ipH8n()X{!TI
zVb~$nR3k>#j4vriIOqdUxc`-69<HRu*NgwQ6&YB$0k5@2p@-@y`K2+P6@X@a0teIa
za1!{h8M@=c1)L>mQu5GZ^HOM|IeoF13+<9l<a`&=V-m_ECG(hBE28)J>&-tyE73=Q
z#^su3$w{8B_VhWPiT)|r0<Um0l9IZcE=<`Xc!gV_O@Rero^139nEGrLl2SFK+9{a&
z{@)=8wL-q=z6uDGUp}`TYyCZyo$MMfZKtKIo4;qJa8mK{X<K6<h?%yH%0IJddnf!w
zD8+C;Y9QUXcEd8-S(;S~3T)0(wD>3&6{4C|P0mwV4N3<#!n4uXJUFV%!{Cj-$Vo1;
zYOzXulvqI3|EU(gN&DjuZoHx#{;e#q`E~dRNYgf_@R~k|KF#yg3}fPLuvrbWV*}Oj
zd(~LVp(W?fYCef}$`qN-xyMt+JCe`MkF+bkiAMsRjdK=6W9XKC*SYWB*NS8^)tl!D
zucM5+Zmm_9d1Ip&Iz>e(>3VS>!yJNrsAOJrz$7;LFjC1#0A+Q~5sQZA2dt%d?1%Zs
zO*+Y)fX5Bmc*kM)S$((gVQ(;sd;brBL0;w7yUp4500D?^M$+o6H_oPA1a=keBY2z#
zUX<%LU6aZ6<MUnUv-Tl~LA)UNAtqlw-`2RYU^T_t;k#ex4Oba*@R|KoRb_ShS&XFM
zdxK@i&mK2$X|a`w*05!1FxD=dN$t8}MqPrtt(epGR(BKzB`~psZuS>yB9Z<klO-mR
zD5+Fjqzfj%6K>H|Ln}bi$Rb~sSQ-op90n>Fb`<C*teSWI;VFJZ1f6feAiUn=`?Cqw
z_q06d&q;U?=R;?v``y1b_l*Tf_*?kz(2h7x9T4g|F;mb%!W`%Nv6_9ez$183CuSx=
zh@5UjJJtT}dy{MtJ!<Ek5YtGL6lr?Y=yskb)5<Is9SEdNl70`7_h7d#eh^s-|8FVB
z*G(Hy8CP88nElL#3-a%A<*b%`qp0L3u|XjTHCi3aDR$N>z0I7Rx3OH;WNAYI>>;*F
zm?9i4eYAI7o4EmDLZz?{7&Dv9<96G!_rm6BDlG{*-ZzZ=VQJZ8ScJ-&$vTd7I`#t}
zdudsE@RMk1nR+o3H)$E|197EI9RM%!M-r=5UhhY`eUlp2VY8|}-{tzBKyi~r?h2}(
zasV9K473R4W~#I!QEMC828Y{B$6kGNG_I;i=d0Vrcu3b{{7FiYzr3;Q^hdLS&q;Y6
z#8|H7+MN_foy8)DI?}=_%Bc~XM(2)fC*jcIs|3-xg`o4B+awQq|9ys=t=n^&!&Pnb
zF2ZMDK4iho8t1Nc^@G*azb&s{A=<-LUGpx1XJ4PMP?vMp`&TIaZ_DS_Eg{VzpO$$S
z<g+i#_!QTpitS{&ww$3!YIf|+O`9j#acR9~V1O5)Ip&l3^#c7*6E8dSR2gYtGyQ}}
z0SGo=kjnd7oDK9&!e7YQtvOMcvj%K>@oxXc{m*&V`UC-;aI?Unk8&gp&QF2g(Al6s
zBzGA;it$3P;CO`(!(@TMkCA-7HDjkEdL{ER?2gD*PSD(5I&PxQ*4c*^SUW_H9t!Y^
zNocRycz1oA`}}fY0EfVU{Qo;+eOWR5&ruZgU-AF($@<@o{BJXd|Jwu@SW!^Ym+993
YW9^_M2mS58DiB|1=vRqj``_LF0iG4)TmS$7

literal 0
HcmV?d00001

diff --git a/Solutions/IllumioSaaS/Package/createUiDefinition.json b/Solutions/IllumioSaaS/Package/createUiDefinition.json
index d5238de2525..50582a31f18 100644
--- a/Solutions/IllumioSaaS/Package/createUiDefinition.json
+++ b/Solutions/IllumioSaaS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 4, **Analytic Rules:** 6, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -142,6 +142,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "workbook4",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio OnPrem Health Workbook",
+            "elements": [
+              {
+                "name": "workbook4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights"
+                }
+              }
+            ]
           }
         ]
       },
diff --git a/Solutions/IllumioSaaS/Package/mainTemplate.json b/Solutions/IllumioSaaS/Package/mainTemplate.json
index 2c7e6dbd531..7acc9fa8182 100644
--- a/Solutions/IllumioSaaS/Package/mainTemplate.json
+++ b/Solutions/IllumioSaaS/Package/mainTemplate.json
@@ -51,11 +51,19 @@
       "metadata": {
         "description": "Name for the workbook"
       }
+    },
+    "workbook4-name": {
+      "type": "string",
+      "defaultValue": "Illumio OnPrem Health Workbook",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name for the workbook"
+      }
     }
   },
   "variables": {
     "_solutionName": "IllumioSaaS",
-    "_solutionVersion": "3.3.0",
+    "_solutionVersion": "3.4.0",
     "solutionId": "illumioinc1629822633689.illumio_sentinel",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "IllumioSaaSDataConnector",
@@ -86,6 +94,12 @@
     "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
     "_workbookContentId3": "[variables('workbookContentId3')]",
     "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
+    "workbookVersion4": "1.2.0",
+    "workbookContentId4": "IllumioOnPremHealthWorkbook",
+    "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]",
+    "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]",
+    "_workbookContentId4": "[variables('workbookContentId4')]",
+    "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]",
     "analyticRuleObject1": {
       "analyticRuleVersion1": "1.0.6",
       "_analyticRulecontentId1": "e9e4e466-3970-4165-bc8d-7721c6ef34a6",
@@ -172,7 +186,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioSaaS data connector with template version 3.3.0",
+        "description": "IllumioSaaS data connector with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -518,7 +532,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioAuditableEvents Workbook with template version 3.3.0",
+        "description": "IllumioAuditableEvents Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -536,7 +550,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'tampering'\\n| summarize count()\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"table('Illumio_Auditable_Events_CL')\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Auditable_Events_CL\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nIllumio_Auditable_Events_CL\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9875bc24-f51c-4151-96f0-2e4af7039364\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"264cba08-bf9e-44d6-9473-5f03e9aa9375\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_PCE\",\"label\":\"Illumio PCE\",\"type\":2,\"description\":\"Select the Illumio PCE from which you want to see events for\",\"isRequired\":true,\"isGlobal\":true,\"query\":\"Illumio_Auditable_Events_CL\\n| project pce_fqdn , table = \\\"Illumio_Auditable_Events_CL\\\"\\n| union ( IllumioSyslogAuditEvents    \\n            | project pce_fqdn , table = \\\"IllumioSyslogAuditEvents\\\"\\n        )\\n| distinct table, pce_fqdn \",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"IllumioSyslogAuditEvents\"},{\"id\":\"1b35142b-4e83-4645-83d3-29edd556ee3d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TableToSearchFrom\",\"type\":1,\"description\":\"use Illumio_PCE to define what table to fetch events from\",\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Illumio_PCE:value}\"}}]}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize count()\",\"size\":4,\"title\":\"Audit Events\",\"noDataMessage\":\"0\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Audit Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where event_type has 'tampering'\\n| summarize count()\\n\",\"size\":4,\"title\":\"Tampering Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Tampering Events\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where event_type has 'port_scan'\\n| summarize count()\",\"size\":4,\"title\":\"Port Scan Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"30\",\"name\":\"Port Scan Events\",\"styleSettings\":{\"maxWidth\":\"30\"}}]},\"name\":\"group - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize distinct_count = dcount(href) by event_type\\n| order by distinct_count \\n| top 10 by distinct_count\",\"size\":0,\"title\":\"Top Auditable events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Change Monitoring\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize arg_max(TimeGenerated, *) by href\\n| where event_type == 'sec_policy.create' \\n| mv-expand resource_change = resource_changes\\n| project TimeGenerated,\\n            workloads_affected_after_change = resource_change.changes.workloads_affected.after,\\n           policy_version = resource_change.resource.sec_policy.version,\\n           commit_message = resource_change.resource.sec_policy.commit_message,\\n           modified_objects = resource_change.resource.sec_policy.modified_objects,\\n           change_type = resource_change.change_type\\n\",\"size\":0,\"title\":\"Workloads affected by policy changes\",\"noDataMessage\":\"No workloads were affected by policy changes\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":1}]},\"name\":\"Workloads affected by policy changes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where resource_changes != '[]' and isnotempty(resource_changes) // ensure resource changes are not empty\\n| summarize arg_max(TimeGenerated, *) by href\\n| mv-expand  parse_json(resource_changes)\\n| project resource_type = tostring(bag_keys(resource_changes.resource)[0])\\n| summarize Count=count() by resource_type\",\"size\":0,\"title\":\"Changes by Resource Type\",\"noDataMessage\":\"No changes by resource type\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"customWidth\":\"35\",\"name\":\"Changes by Resource Type\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where resource_changes != '[]' and isnotempty(resource_changes) and not(event_type matches regex '^user.*') and (event_type has '.create' or event_type has '.update' or event_type has '.delete') and (created_by !has \\\"agent\\\" and created_by !has \\\"ven\\\" and created_by !has \\\"container\\\")\\n| extend User = tostring(parse_json(created_by)['user']['username'])\\n| summarize Count = count() by User\",\"size\":0,\"title\":\"Changes by User\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"Changes by User\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where created_by has \\\"agent\\\" or created_by has \\\"ven\\\"\\n| project user = tostring(parse_json(created_by)['agent']['hostname'])\\n| summarize count() by user\",\"size\":0,\"title\":\"Events generated by agents\",\"noDataMessage\":\"Agents have not generated any events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"Events generated by agents\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"name\":\"ChangeMonitoring\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| summarize arg_max(TimeGenerated, *) by href // try to filter what event_type to prioritize in bar chart\\n| make-series events = count() default = 0 on TimeGenerated from {Time:start} to {Time:end} step 1h by event_type //from ago(1d) to now() step 1h by event_type \",\"size\":0,\"title\":\"PCE events breakdown - every hour\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"PCE events breakdown - every hour\"},{\"type\":1,\"content\":{\"json\":\"### Authentication events \\nChoose from below drop down to filter authentication events.\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1ee7c425-b1b5-4a71-8dc3-9b447fa1f316\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventType\",\"label\":\"Include Event Type\",\"type\":2,\"description\":\"Types of events to be included \",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"value::all\"]},{\"id\":\"4f1ca215-f902-4fac-9bf0-834e4988a107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ExcludeEventType\",\"label\":\"Exclude Event Type\",\"type\":2,\"description\":\"Types of events to be excluded\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"user.logout\\\", \\\"label\\\":\\\"User logout\\\" },\\n    { \\\"value\\\":\\\"user.sign_in\\\", \\\"label\\\":\\\"User signin\\\" },\\n    { \\\"value\\\":\\\"user.sign_out\\\", \\\"label\\\":\\\"User signout\\\" },\\n    { \\\"value\\\":\\\"user.login\\\", \\\"label\\\":\\\"User login\\\"},\\n    { \\\"value\\\":\\\"user.pce_session_terminated\\\", \\\"label\\\":\\\"User session terminated\\\"},\\n    { \\\"value\\\":\\\"request.authentication_failed\\\", \\\"label\\\":\\\"Authentication failed\\\"},\\n    { \\\"value\\\":\\\"user.authenticate\\\", \\\"label\\\":\\\"User Authentication\\\"},\\n    { \\\"value\\\":\\\"user.create_session\\\", \\\"label\\\":\\\"User create session\\\"},\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\", \\\"selected\\\": true}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":[\"None\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"failure\\\", \\\"label\\\":\\\"Failure\\\" },\\n    { \\\"value\\\":\\\"success\\\", \\\"label\\\":\\\"Success\\\", \\\"selected\\\": true },\\n    { \\\"value\\\":\\\"None\\\", \\\"label\\\":\\\"None\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"c8996627-2e77-4386-9c23-1eb5d50df311\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"description\":\"Status values\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\n    { \\\"value\\\":\\\"err\\\", \\\"label\\\":\\\"Error\\\" },\\n    { \\\"value\\\":\\\"info\\\", \\\"label\\\":\\\"Info\\\", \\\"selected\\\": true }    \\n]\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"79d0945d-d0f8-4293-8dc2-3c57391cde95\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let included_event_types = iif(\\\"*\\\" in ({EventType}), dynamic(['user.login','user.logout', 'user.sign_in', 'user.sign_out', 'user.authenticate','user.create_session','user.pce_session_terminated']), dynamic([{EventType}]) );\\nlet table_to_search_from = '{TableToSearchFrom}';\\n\\ntable(table_to_search_from)\\n| where event_type in (included_event_types)\\n| where  \\\"*\\\" in ({Status}) or status in ({Status}) and \\\"*\\\" in ({Severity}) or severity in ({Severity})\\n| where not(event_type in ({ExcludeEventType}))\\n| project TimeGenerated, pce_fqdn, event_type, status, notification_type = parse_json(notifications)[0].notification_type,severity, created_by_username = iif(created_by == '{\\\"system\\\":{}}', parse_json(notifications)[0].info.user.username, parse_json(created_by).user.username)\",\"size\":0,\"title\":\"PCE Authentication Events\",\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true,\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"severity\",\"sortOrder\":1}]},\"name\":\"PCE Authentication Events\"}],\"fromTemplateId\":\"sentinel-AuditableEventsWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -605,7 +619,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioFlowData Workbook with template version 3.3.0",
+        "description": "IllumioFlowData Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -623,7 +637,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nIllumio_Flow_Events_CL\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Illumio_Flow_Events_CL\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nIllumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Flow_Events_CL\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ebc4e534-7a4a-41be-b365-ddcd4f564090\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"description\":\"As a time filter\",\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"ced5d7b4-3302-4479-bee9-563947af3a5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_PCE\",\"label\":\"Illumio PCE\",\"type\":2,\"description\":\"Select the Illumio PCE from which you want to see events for\",\"isRequired\":true,\"isGlobal\":true,\"query\":\"Illumio_Flow_Events_CL\\n| project pce_fqdn , table = \\\"Illumio_Flow_Events_CL\\\"\\n| union ( IllumioSyslogAuditEvents    \\n            | project pce_fqdn , table = \\\"IllumioSyslogNetworkTrafficEvents\\\"\\n        )\\n| distinct table, pce_fqdn \",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"IllumioSyslogNetworkTrafficEvents\"},{\"id\":\"01dea62f-0a96-4799-ad15-4410632e9665\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TableToSearchFrom\",\"type\":1,\"description\":\"use Illumio_PCE to define what table to fetch events from\",\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"operator\":\"Default\",\"resultValType\":\"static\",\"resultVal\":\"{Illumio_PCE:value}\"}}]}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize count() by bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Traffic every hour\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"traffic-every-hour\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Trafficked Workload Stats\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Enter the number of workloads for which the inbound and outbound connections are to be fetched. These workloads will be ordered by connection count. \",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0dead08f-24f5-40b3-a011-a59e007a8e70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"workload_count\",\"label\":\"Workload Count\",\"type\":1,\"description\":\"Provide an integer that denotes the limit for retrieving most trafficked workloads\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": 5, \\\\\\\"label\\\\\\\": 5, \\\\\\\"selected\\\\\\\": true}\\\"}\\n\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":8,\"value\":\"10\"}],\"style\":\"pills\",\"queryType\":8},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let workload_count = {workload_count};\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| extend hostname = coalesce(src_hostname, dst_hostname)\\n| summarize Count = count() by hostname, dir\\n| summarize InboundCount = sum(iff(dir == \\\"I\\\", Count, 0)), OutboundCount = sum(iff(dir == \\\"O\\\", Count, 0)) by hostname\\n| top workload_count by hostname\\n\",\"size\":0,\"title\":\"Most Trafficked Workloads\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"workload\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"hostname\",\"showLegend\":true,\"xSettings\":{\"label\":\"Workloads\"},\"ySettings\":{\"label\":\"Traffic Connections\"}}},\"name\":\"Most Trafficked Workloads\"}]},\"name\":\"MostTraffickedWorkload\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Explorer\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Filters for querying traffic data\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"## Traffic Explorer\\n### Please enter source ip, destination ip, destination port, protocol, time range to filter traffic records. \\n### All records are returned unless provided.\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ab7ce90-16a6-4e7e-85b7-292234a9d3c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_ip\",\"label\":\"Source IP\",\"type\":2,\"description\":\"Select source ip\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by src_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"24f11ee0-0b0b-4c79-918b-01df57233aa2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_ip\",\"label\":\"Destination IP\",\"type\":2,\"description\":\"Select destination ips\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by dst_ip\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb9fe16e-be04-479d-9389-0095c2b43d50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_port\",\"label\":\"Destination Port\",\"type\":2,\"description\":\"Select destination port\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by dst_port\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"416ab303-c10f-47c1-9f01-7c1324699b49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"protocol\",\"label\":\"Protocol\",\"type\":2,\"description\":\"Protocol for fetching traffic records. For multiple, use comma as delimiter like 6,17\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| summarize by proto\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f07c08c2-ff0f-42a7-adc6-4fd5d7f1cb19\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"src_label\",\"label\":\"Source Label\",\"type\":2,\"description\":\"Filter for source labels\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where src_labels != ''\\n| extend parsed_labels = parse_json(src_labels)\\n| mv-expand kind=array parsed_labels\\n| extend src_label=tostring(parsed_labels[1])\\n| summarize by src_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9d5cb77f-31a5-41ed-8849-aaee2b513f54\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"dst_label\",\"label\":\"Destination Label\",\"type\":2,\"description\":\"Filter for destination label\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where dst_labels != ''\\n| extend parsed_labels = parse_json(dst_labels)\\n| mv-expand kind=array parsed_labels\\n| extend dst_label=tostring(parsed_labels[1])\\n| summarize by dst_label\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"formHorizontal\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"all_traffic_params\",\"styleSettings\":{\"maxWidth\":\"30\"}}],\"exportParameters\":true},\"name\":\"parameters_group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and  (dst_labels has_any ({dst_label}) or '*' in ({dst_label}))  and  (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol})) \\n| extend policy_decision = \\n    case(pd == 0, \\\"Allowed\\\",\\n         pd == 1, \\\"Potentially Blocked\\\",\\n         pd == 2, \\\"Blocked\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by policy_decision\\n\",\"size\":2,\"title\":\"Flow count by policy decision\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Potentially Blocked\",\"color\":\"yellow\"},{\"seriesName\":\"Allowed\",\"color\":\"green\"},{\"seriesName\":\"Blocked\",\"color\":\"red\"},{\"seriesName\":\"Unknown\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Flow count by policy decision\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label}))  and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend class_type = \\n    case(class == 'B', 'Broadcast',\\n         class == 'M', 'Multicast',\\n         class == 'U', \\\"Unicast\\\",\\n        \\\"Unknown\\\")\\n| summarize count() by class_type\\n\",\"size\":2,\"title\":\"Flows by class\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Flows by class\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### A service is indicated with a destination port and protocol, represented in the below graph as \\\"destination_port/protocol\\\"\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where (src_ip in ({src_ip}) or '*' in ({src_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocolName = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| extend service = strcat(dst_port, '/', protocolName)\\n| summarize service_count = count() by service\\n| top 5 by service_count\\n\",\"size\":0,\"title\":\"Top 5 Services by Flow Count\",\"color\":\"blue\",\"noDataMessage\":\"No services found\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"service\",\"yAxis\":[\"service_count\"],\"xSettings\":{\"label\":\"Destination Service\"},\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"Top 5 Services by Flow Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 2 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Blocked Traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Blocked Traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 1 and (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\\n\",\"size\":0,\"title\":\"Potentially blocked traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Potentially blocked traffic\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let table_to_search_from = '{TableToSearchFrom}';\\ntable(table_to_search_from)\\n| where pd == 0 and  (src_ip in ({src_ip}) or '*' in ({src_ip})) and (dst_ip in ({dst_ip}) or '*' in ({dst_ip})) and (src_labels has_any ({src_label}) or '*' in ({src_label})) and (dst_labels has_any ({dst_label}) or '*' in ({dst_label})) and (dst_port in ({dst_port}) or '*' in ({dst_port})) and (proto in ({protocol}) or '*' in ({protocol}))\\n| extend protocol = case(\\n    proto == -1, \\\"all\\\",\\n    proto == 0, \\\"hopopt\\\",\\n    proto == 1, \\\"icmp\\\",\\n    proto == 2, \\\"igmp\\\",\\n    proto == 3, \\\"ggp\\\",\\n    proto == 4, \\\"ipv4\\\",\\n    proto == 5, \\\"st\\\",\\n    proto == 6, \\\"tcp\\\",\\n    proto == 7, \\\"cbt\\\",\\n    proto == 8, \\\"egp\\\",\\n    proto == 9, \\\"igp\\\",\\n    proto == 10, \\\"bbn-rcc-mon\\\",\\n    proto == 11, \\\"nvp-ii\\\",\\n    proto == 12, \\\"pup\\\",\\n    proto == 13, \\\"argus\\\",\\n    proto == 14, \\\"emcon\\\",\\n    proto == 15, \\\"xnet\\\",\\n    proto == 16, \\\"chaos\\\",\\n    proto == 17, \\\"udp\\\",\\n    proto == 18, \\\"mux\\\",\\n    proto == 19, \\\"dcn-meas\\\",\\n    proto == 20, \\\"hmp\\\",\\n    proto == 21, \\\"prm\\\",\\n    proto == 22, \\\"xns-idp\\\",\\n    proto == 23, \\\"trunk-1\\\",\\n    proto == 24, \\\"trunk-2\\\",\\n    proto == 25, \\\"leaf-1\\\",\\n    proto == 26, \\\"leaf-2\\\",\\n    proto == 27, \\\"rdp\\\",\\n    proto == 28, \\\"irtp\\\",\\n    proto == 29, \\\"iso-tp4\\\",\\n    proto == 30, \\\"netblt\\\",\\n    proto == 31, \\\"mfe-nsp\\\",\\n    proto == 32, \\\"merit-inp\\\",\\n    proto == 33, \\\"dccp\\\",\\n    proto == 34, \\\"3pc\\\",\\n    proto == 35, \\\"idpr\\\",\\n    proto == 36, \\\"xtp\\\",\\n    proto == 37, \\\"ddp\\\",\\n    proto == 38, \\\"idpr-cmtp\\\",\\n    proto == 39, \\\"tp++\\\",\\n    proto == 40, \\\"il\\\",\\n    proto == 41, \\\"ipv6\\\",\\n    proto == 42, \\\"sdrp\\\",\\n    proto == 43, \\\"ipv6-route\\\",\\n    proto == 44, \\\"ipv6-frag\\\",\\n    proto == 45, \\\"idrp\\\",\\n    proto == 46, \\\"rsvp\\\",\\n    proto == 47, \\\"gre\\\",\\n    proto == 48, \\\"dsr\\\",\\n    proto == 49, \\\"bna\\\",\\n    proto == 50, \\\"esp\\\",\\n    proto == 51, \\\"ah\\\",\\n    proto == 52, \\\"i-nlsp\\\",\\n    proto == 53, \\\"swipe\\\",\\n    proto == 54, \\\"narp\\\",\\n    proto == 55, \\\"mobile\\\",\\n    proto == 56, \\\"tlsp\\\",\\n    proto == 57, \\\"skip\\\",\\n    proto == 58, \\\"ipv6-icmp\\\",\\n    proto == 59, \\\"ipv6-nonxt\\\",\\n    proto == 60, \\\"ipv6-opts\\\",\\n    proto == 62, \\\"cftp\\\",\\n    proto == 64, \\\"sat-expak\\\",\\n    proto == 65, \\\"kryptolan\\\",\\n    proto == 66, \\\"rvd\\\",\\n    proto == 67, \\\"ippc\\\",\\n    proto == 69, \\\"sat-mon\\\",\\n    proto == 70, \\\"visa\\\",\\n    proto == 71, \\\"ipcv\\\",\\n    proto == 72, \\\"cpnx\\\",\\n    proto == 73, \\\"cphb\\\",\\n    proto == 74, \\\"wsn\\\",\\n    proto == 75, \\\"pvp\\\",\\n    proto == 76, \\\"br-sat-mon\\\",\\n    proto == 77, \\\"sun-nd\\\",\\n    proto == 78, \\\"wb-mon\\\",\\n    proto == 79, \\\"wb-expak\\\",\\n    proto == 80, \\\"iso-ip\\\",\\n    proto == 81, \\\"vmtp\\\",\\n    proto == 82, \\\"secure-vmtp\\\",\\n    proto == 83, \\\"vines\\\",\\n    proto == 84, \\\"iptm\\\",\\n    proto == 85, \\\"nsfnet-igp\\\",\\n    proto == 86, \\\"dgp\\\",\\n    proto == 87, \\\"tcf\\\",\\n    proto == 88, \\\"eigrp\\\",\\n    proto == 89, \\\"ospfigp\\\",\\n    proto == 90, \\\"sprite-rpc\\\",\\n    proto == 91, \\\"larp\\\",\\n    proto == 92, \\\"mtp\\\",\\n    proto == 93, \\\"ax.25\\\",\\n    proto == 94, \\\"ipip\\\",\\n    proto == 95, \\\"micp\\\",\\n    proto == 96, \\\"scc-sp\\\",\\n    proto == 97, \\\"etherip\\\",\\n    proto == 98, \\\"encap\\\",\\n    proto == 100, \\\"gmtp\\\",\\n    proto == 101, \\\"ifmp\\\",\\n    proto == 102, \\\"pnni\\\",\\n    proto == 103, \\\"pim\\\",\\n    proto == 104, \\\"aris\\\",\\n    proto == 105, \\\"scps\\\",\\n    proto == 106, \\\"qnx\\\",\\n    proto == 107, \\\"a/n\\\",\\n    proto == 108, \\\"ipcomp\\\",\\n    proto == 109, \\\"snp\\\",\\n    proto == 110, \\\"compaq-peer\\\",\\n    proto == 111, \\\"ipx-in-ip\\\",\\n    proto == 112, \\\"vrrp\\\",\\n    proto == 113, \\\"pgm\\\",\\n    proto == 115, \\\"l2tp\\\",\\n    proto == 116, \\\"ddx\\\",\\n    proto == 117, \\\"iatp\\\",\\n    proto == 118, \\\"stp\\\",\\n    proto == 119, \\\"srp\\\",\\n    proto == 120, \\\"uti\\\",\\n    proto == 121, \\\"smp\\\",\\n    proto == 122, \\\"sm\\\",\\n    proto == 123, \\\"ptp\\\",\\n    proto == 124, \\\"isis over ipv4\\\",\\n    proto == 125, \\\"fire\\\",\\n    proto == 126, \\\"crtp\\\",\\n    proto == 127, \\\"crudp\\\",\\n    proto == 128, \\\"sscopmce\\\",\\n    proto == 129, \\\"iplt\\\",\\n    proto == 130, \\\"sps\\\",\\n    proto == 131, \\\"pipe\\\",\\n    proto == 132, \\\"sctp\\\",\\n    proto == 133, \\\"fc\\\",\\n    proto == 134, \\\"rsvp-e2e-ignore\\\",\\n    proto == 135, \\\"mobility header\\\",\\n    proto == 136, \\\"udplite\\\",\\n    proto == 137, \\\"mpls-in-ip\\\",\\n    proto == 138, \\\"manet\\\",\\n    proto == 139, \\\"hip\\\",\\n    proto == 140, \\\"shim6\\\",\\n    proto == 141, \\\"wesp\\\",\\n    proto == 142, \\\"rohc\\\",\\n    proto == 143, \\\"ethernet\\\",\\n    proto == 144, \\\"aggfrag\\\",\\n    proto == 145, \\\"nsh\\\",\\n    proto >= 146 and proto <= 252, \\\"unknown\\\",\\n    proto == 253, \\\"unknown\\\",\\n    proto == 254, \\\"unknown\\\",\\n    proto == 255, \\\"reserved\\\",\\n    \\\"unknown\\\"\\n)\\n| project TimeGenerated, src_ip, src_hostname, src_labels, dst_ip, dst_hostname, dst_port, dst_labels, protocol\\n\",\"size\":0,\"title\":\"Allowed traffic\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Allowed traffic\"}]},\"name\":\"Traffic Explorer\"}],\"fromTemplateId\":\"sentinel-FlowDataWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -692,7 +706,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioWorkloadsStats Workbook with template version 3.3.0",
+        "description": "IllumioWorkloadsStats Workbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -710,7 +724,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Illumio Workloads Stats\\n---\\n\\nThis workbook uses Illumio APIs to fetch workload details and presents stats.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4de2c193-277e-4f8e-88b5-2caac1676e2b\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Operations\",\"subTarget\":\"0\",\"style\":\"link\",\"tabWidth\":\"500px\"},{\"id\":\"8b46c8dd-071a-4bd4-9d36-1247d8777702\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workload Investigations\",\"subTarget\":\"1\",\"style\":\"link\",\"tabWidth\":\"500px\"}]},\"name\":\"links - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print workload_response = '{GETWorkloadsAPI}'\\n| project parse_json(workload_response)\\n| mv-apply workload_response on (\\n    where workload_response.managed == 'true' and isnotempty(workload_response.risk_summary)\\n    | project exposure_severity = workload_response.risk_summary.ransomware.workload_exposure_severity,\\n            protection_percentage = workload_response.risk_summary.ransomware.ransomware_protection_percent,\\n            updated_at = workload_response.risk_summary.ransomware.last_updated_at\\n    )\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"protection_percentage\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Ransomware\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_version)\\n| mv-expand keyValue = parsedJson\\n| extend version = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project version, count_\",\"size\":3,\"title\":\"Workloads by VEN Version\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_managed)\\n| mv-expand keyValue = parsedJson\\n| extend managed = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project managed = iff(managed == 'true', 'Managed', 'Unmanaged'), count_\",\"size\":3,\"title\":\"Managed and Unmanaged workload counts\",\"noDataMessage\":\"No workloads\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_type)\\n| mv-expand keyValue = parsedJson\\n| extend type = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project type, count_\",\"size\":3,\"title\":\"VENs by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_os)\\n| mv-expand keyValue = parsedJson\\n| extend os = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project os, count_\",\"size\":3,\"title\":\"Managed workloads by OS\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"0\"},\"name\":\"WorkloadOperations\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_enforcement_mode)\\n| mv-expand keyValue = parsedJson\\n| extend mode = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project mode = case(mode == 'full', 'Full',\\n         mode == 'visibility_only', 'Visibility Only',\\n         mode == 'selective', \\\"Selective\\\",\\n        \\\"Idle\\\"), count_\\n\",\"size\":3,\"title\":\"Workloads by enforcement modes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_status)\\n| mv-expand keyValue = parsedJson\\n| extend status = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project status, count_\\n\",\"size\":3,\"title\":\"VENs by Status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Illumio_Workloads_Summarized_API_CL\\n| order by TimeGenerated desc\\n| top 1 by TimeGenerated\\n| extend parsedJson = parse_json(vens_by_sync_state)\\n| mv-expand keyValue = parsedJson\\n| extend sync_state = tostring(bag_keys(keyValue)[0]), count_ = toint(keyValue[tostring(bag_keys(keyValue)[0])])\\n| project sync_state, count_\\n\",\"size\":3,\"title\":\"VENs by synchronization state\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumIntegerDigits\":1}}}}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Workload Investigations\"}],\"fromTemplateId\":\"sentinel-apiWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -770,6 +784,93 @@
         "version": "[variables('workbookVersion3')]"
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName4')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "IllumioOnPremHealth Workbook with template version 3.4.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('workbookVersion4')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId4')]",
+              "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights"
+              },
+              "properties": {
+                "displayName": "[parameters('workbook4-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook leverages a function app to make an API call to Illumio Health API. \\nThe function app has the context of the onprem deployment to which api call has to be made.\\n\\nSome of the widgets also use Syslog table to visualize data.\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f0562353-928f-41f0-875c-99eb0f95fa38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Illumio_Health\",\"label\":\"Illumio Health\",\"type\":1,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"CustomEndpoint/1.0\\\",\\\"headers\\\":[],\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"https://azureonprempcehealth.azurewebsites.net/api/pce_onprem_http_trigger\\\",\\\"contentType\\\":\\\"text/plain\\\",\\\"urlParams\\\":[]}\\n\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":10},{\"id\":\"2a4639d7-a9c8-4e65-8bd7-26b97d813f6d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000}],\"allowCustom\":true},\"value\":{\"durationMs\":259200000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| project ClusterStatus = strcat(toupper(substring(json.status, 0, 1)), substring(json.status, 1))\\n\",\"size\":1,\"title\":\"Cluster Status\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"background\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]['nodes'][0]\\n| project json.runlevel\",\"size\":1,\"title\":\"Cluster Runlevel \",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"background\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_Running = array_length(nodes['services']['running'])\\n\\n\\n\",\"size\":1,\"title\":\"Running Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Services_Running\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"Services_Stopped\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"Services_Partial\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}},{\"columnMatch\":\"services_running\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"sourceColumn\":\"services_stopped\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"sourceColumn\":\"services_partial\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"45ch\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"hostname\"},\"leftContent\":{\"columnMatch\":\"services_running\"},\"rightContent\":{\"columnMatch\":\"services_stopped\"},\"secondaryContent\":{\"columnMatch\":\"services_partial\"},\"showBorder\":false},\"graphSettings\":{\"type\":0},\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"green\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33.33\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_stopped = coalesce(array_length(nodes['services']['stopped']), 0)\\n\\n\\n\",\"size\":1,\"title\":\"Stopped Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"redBright\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33.33\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project  Services_partial = coalesce(array_length(nodes['services']['partial']), 0)\\n\\n\\n\",\"size\":1,\"title\":\"Partial Services\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"stat\",\"statSettings\":{\"valueAggregation\":\"None\",\"colorSettings\":{\"type\":\"static\",\"mode\":\"foreground\",\"staticColor\":\"gray\",\"heatmapPalette\":\"greenRed\"},\"tagText\":\"\",\"valueFontStyle\":\"mega\"}},\"customWidth\":\"33\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"service stats\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Node Status\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print nodes = todynamic('{Illumio_Health}')[0]['nodes']\\n| mv-expand nodes\\n| project Hostname = nodes['hostname'], Runlevel = nodes['runlevel'], IpAddress = nodes['ip_address']\\n\\n\\n\",\"size\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Hostname\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"15ch\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Hostname\",\"formatter\":1,\"tooltipFormat\":{\"tooltip\":\"Hostname\"}},\"leftContent\":{\"columnMatch\":\"Runlevel\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"tooltipFormat\":{\"tooltip\":\"Runlevel\"}},\"secondaryContent\":{\"columnMatch\":\"IpAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"tooltipFormat\":{\"tooltip\":\"Ip Address\"}},\"showBorder\":true,\"size\":\"full\"}},\"customWidth\":\"100\",\"name\":\"query - 0\"}]},\"name\":\"node_status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Disk Latency (in milliseconds)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=disk_latency' and SyslogMessage has 'disk=Traffic'\\n| extend traffic_disk_latency_milliseconds = toint(extract(@\\\"traffic_disk_latency_milliseconds=(\\\\d+)\\\", 1, SyslogMessage))\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Traffic Disk\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"traffic_disk_latency_milliseconds\"],\"seriesLabelSettings\":[{\"seriesName\":\"153035ad-fede-495a-b6c2-6d4308689f79\",\"label\":\"Latency in milliseconds\"}],\"customThresholdLine\":\"300\",\"customThresholdLineStyle\":5,\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Traffic Disk Latency\"}}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=disk_latency' and SyslogMessage has 'disk=Policy'\\n| extend policy_disk_latency_milliseconds = toint(extract(@\\\"policy_disk_latency_milliseconds=(\\\\d+)\\\", 1, SyslogMessage))\\n\",\"size\":0,\"aggregation\":3,\"title\":\"Policy Disk\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"policy_disk_latency_milliseconds\"],\"seriesLabelSettings\":[{\"seriesName\":\"153035ad-fede-495a-b6c2-6d4308689f79\",\"label\":\"Latency in milliseconds\"}],\"customThresholdLine\":\"300\",\"customThresholdLineStyle\":5}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Traffic Ingestion Stats\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health'\\n| extend \\n    collector_flows = iif(SyslogMessage has 'src=collector', toint(extract(@\\\"collector_summaries_per_second=(\\\\d+)\\\", 1, SyslogMessage)), 0),\\n    traffic_flows = iif(SyslogMessage has 'src=flow_analytics', toint(extract(@\\\"traffic_summaries_per_second=(\\\\d+)\\\", 1, SyslogMessage)), 0)\\n| summarize \\n    collector_flows = sum(collector_flows), \\n    traffic_flows = sum(traffic_flows) \\n    by bin(TimeGenerated, 10m)  // Adjust bin size (e.g., 1m for minutes, 5m, etc.)\\n| order by TimeGenerated asc\\n\",\"size\":3,\"aggregation\":3,\"title\":\"Traffic Flow Ingestion Rate (Average)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"collector_flows\",\"traffic_flows\"]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\n| where SyslogMessage has 'illumio_pce/system_health' and SyslogMessage has 'src=flow_analytics'\\n| extend traffic_summaries_per_second = todouble(extract(@\\\"traffic_summaries_per_second=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_backlog_utilization_percentage = todouble(extract(@\\\"traffic_backlog_utilization_percentage=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_size_gb = todouble(extract(@\\\"traffic_database_size_gb=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_utilization_percentage = todouble(extract(@\\\"traffic_database_utilization_percentage=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| extend traffic_database_size_days = todouble(extract(@\\\"traffic_database_size_days=([\\\\d\\\\.]+)\\\", 1, SyslogMessage))\\n| project TimeGenerated, traffic_summaries_per_second, traffic_backlog_utilization_percentage, traffic_database_size_gb, traffic_database_utilization_percentage, traffic_database_size_days\",\"size\":3,\"aggregation\":3,\"title\":\"Traffic Backlog vs Traffic DB Utilization\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"traffic_backlog_utilization_percentage\",\"traffic_database_utilization_percentage\"]}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'VEN Heartbeat'\\n| mv-expand node = section.contents[0].cluster\\n| mv-expand node_metrics = node.metrics\\n| project NodeAddress = node.node, Metric = node_metrics['metric'], MetricValue = node_metrics['entries'][0]['values'][0]['value']\",\"size\":3,\"title\":\"VEN Heartbeat Stats\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'VEN Policy'\\n| mv-expand node = section.contents[0].cluster\\n| mv-expand node_metrics = node.metrics\\n| project NodeAddress = node.node, Metric = node_metrics['metric'], MetricValue = node_metrics['entries'][0]['values'][0]['value']\",\"size\":3,\"title\":\"VEN Policy Stats\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'Policy Database Summary'\\n| mv-expand content = section.contents\\n| project  Metric = content['metric'], MetricValue = content['entries'][0]['values'][0]['value'], Unit = coalesce(content['entries'][0]['values'][0]['unit'], '')\",\"size\":0,\"title\":\"Policy Database Summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"print json = todynamic('{Illumio_Health}')[0]\\n| mv-expand group = parsejson(json.groups)\\n| extend components = group.components\\n| mv-expand section = parsejson(components)\\n| where section['section'] == 'Traffic Database Summary'\\n| mv-expand content = section.contents\\n| project  Metric = content['metric'], MetricValue = content['entries'][0]['values'][0]['value'], Unit = coalesce(content['entries'][0]['values'][0]['unit'], '')\",\"size\":0,\"title\":\"Traffic Database Summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-UserWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]",
+              "properties": {
+                "description": "@{workbookKey=IllumioOnPremHealthWorkbook; logoFileName=IllumioLogo.svg; description=This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Illumio OnPrem Health Workbook; templateRelativePath=IllumioOnPremHealth.json; subtitle=; provider=Illumio}.description",
+                "parentId": "[variables('workbookId4')]",
+                "contentId": "[variables('_workbookContentId4')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion4')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "IllumioSaaS",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "app-integrations@illumio.com"
+                },
+                "support": {
+                  "name": "Illumio",
+                  "email": "app-integrations@illumio.com",
+                  "tier": "Partner",
+                  "link": "https://www.illumio.com/support/support"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "Syslog",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "SyslogAMA",
+                      "kind": "DataConnector"
+                    }
+                  ]
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId4')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook4-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId4')]",
+        "id": "[variables('_workbookcontentProductId4')]",
+        "version": "[variables('workbookVersion4')]"
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -779,7 +880,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -821,22 +922,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -898,7 +999,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -940,31 +1041,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "workload_name",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "workload_name"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "created_by",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "created_by"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1026,7 +1127,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1068,13 +1169,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1136,7 +1237,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1178,13 +1279,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1246,7 +1347,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1288,22 +1389,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1365,7 +1466,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.3.0",
+        "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1407,22 +1508,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "columnName": "hostname",
-                        "identifier": "HostName"
+                        "identifier": "HostName",
+                        "columnName": "hostname"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ipaddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ipaddress"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1484,7 +1585,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IllumioSaaS_FunctionAppConnector Playbook with template version 3.3.0",
+        "description": "IllumioSaaS_FunctionAppConnector Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -1723,7 +1824,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Ven-Details Playbook with template version 3.3.0",
+        "description": "Illumio-Ven-Details Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -2167,7 +2268,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Port-Blocking-Switch Playbook with template version 3.3.0",
+        "description": "Illumio-Port-Blocking-Switch Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -2192,11 +2293,41 @@
             "storageAccountName": "[[parameters('FunctionAppName')]",
             "functionAppName": "[[parameters('FunctionAppName')]",
             "applicationInsightsName": "[[parameters('FunctionAppName')]",
+            "o365ConnectionName": "[[[concat('o365-', parameters('PlaybookName'))]",
+            "sentinelConnectionName": "[[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
             "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
             "workspace-name": "[parameters('workspace')]",
             "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
           },
           "resources": [
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('sentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
             {
               "type": "Microsoft.Logic/workflows",
               "apiVersion": "2017-07-01",
@@ -2327,6 +2458,22 @@
                       }
                     }
                   }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                        "connectionName": "[[variables('sentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
                 }
               },
               "tags": {
@@ -2414,7 +2561,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Illumio-Quarantine-Workload Playbook with template version 3.3.0",
+        "description": "Illumio-Quarantine-Workload Playbook with template version 3.4.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -2426,6 +2573,10 @@
                 "description": "PlayBook Name"
               }
             },
+            "DeployersUserName": {
+              "defaultValue": "<username>@<domain>",
+              "type": "string"
+            },
             "FunctionAppName": {
               "defaultValue": "illumiopbfuncapp",
               "type": "String",
@@ -2436,11 +2587,41 @@
           },
           "variables": {
             "functionAppName": "[[parameters('FunctionAppName')]",
+            "o365ConnectionName": "[[[concat('o365-', parameters('PlaybookName'))]",
+            "sentinelConnectionName": "[[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
             "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
             "workspace-name": "[parameters('workspace')]",
             "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
           },
           "resources": [
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('sentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('DeployersUserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
             {
               "type": "Microsoft.Logic/workflows",
               "apiVersion": "2017-07-01",
@@ -2493,6 +2674,22 @@
                       }
                     }
                   }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                        "connectionName": "[[variables('sentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
                 }
               },
               "tags": {
@@ -2576,12 +2773,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.3.0",
+        "version": "3.4.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "IllumioSaaS",
         "publisherDisplayName": "Illumio",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 6, <strong>Function Apps:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.illumio.com/\">IllumioSaaS</a> solution provides ability to ingest auditable and flow events from AWS S3 bucket.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 4, <strong>Analytic Rules:</strong> 6, <strong>Function Apps:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -2625,6 +2822,11 @@
               "contentId": "[variables('_workbookContentId3')]",
               "version": "[variables('workbookVersion3')]"
             },
+            {
+              "kind": "Workbook",
+              "contentId": "[variables('_workbookContentId4')]",
+              "version": "[variables('workbookVersion4')]"
+            },
             {
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
diff --git a/Solutions/IllumioSaaS/Package/testParameters.json b/Solutions/IllumioSaaS/Package/testParameters.json
index 47149fc5efb..5dfce5d6192 100644
--- a/Solutions/IllumioSaaS/Package/testParameters.json
+++ b/Solutions/IllumioSaaS/Package/testParameters.json
@@ -44,5 +44,13 @@
     "metadata": {
       "description": "Name for the workbook"
     }
+  },
+  "workbook4-name": {
+    "type": "string",
+    "defaultValue": "Illumio OnPrem Health Workbook",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
   }
 }
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
index dd3e255161e..8e51d9b5a84 100644
--- a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json
@@ -50,9 +50,38 @@
         "hostingPlanName": "[parameters('FunctionAppName')]",
         "storageAccountName": "[parameters('FunctionAppName')]",
         "functionAppName": "[parameters('FunctionAppName')]",
-        "applicationInsightsName": "[parameters('FunctionAppName')]"
+        "applicationInsightsName": "[parameters('FunctionAppName')]",
+        "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+        "sentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]"
+
     },
     "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('o365ConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('sentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },        
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
@@ -189,7 +218,18 @@
                 },
                 "parameters": {
                     "$connections": {
-                        "value": {}
+                        "value": {
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                                "connectionName": "[variables('sentinelConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                            },
+                            "office365": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                                "connectionName": "[variables('o365ConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                            }
+                        }
                     }
                 }
             }
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
index 291c961400c..3e0e2a4eeec 100644
--- a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
@@ -38,6 +38,10 @@
                 "description": "PlayBook Name"
             }
         },
+        "DeployersUserName": {
+            "defaultValue": "<username>@<domain>",
+            "type": "string"
+          },        
         "FunctionAppName": {
             "defaultValue": "illumiopbfuncapp",
             "type": "String",
@@ -47,9 +51,37 @@
         }
     },
     "variables": {
-        "functionAppName": "[parameters('FunctionAppName')]"
+        "functionAppName": "[parameters('FunctionAppName')]",
+        "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+        "sentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]"
     },
     "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('o365ConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('sentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('DeployersUserName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },        
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
@@ -108,7 +140,18 @@
                 },
                 "parameters": {
                     "$connections": {
-                        "value": {}
+                        "value": {
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
+                                "connectionName": "[variables('sentinelConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                            },
+                            "office365": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                                "connectionName": "[variables('o365ConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                            }
+                        }
                     }
                 }
             }
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index d0d539073f8..16fdcd4d458 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -8023,6 +8023,26 @@
 		"subtitle": "",
 		"provider": "Illumio"
 	},
+	{
+		"workbookKey": "IllumioOnPremHealthWorkbook",
+		"logoFileName": "IllumioLogo.svg",
+		"description": "This workbook leverages events ingested by 'Syslog via AMA devices' and presents insights",
+		"dataTypesDependencies": [
+			"Syslog"
+		],
+		"dataConnectorsDependencies": [			
+			"SyslogAMA"
+		],
+		"previewImagesFileNames": [
+			"IllumioWorkloadsSummarizedBlack.png",
+			"IllumioWorkloadsSummarizedWhite.png"
+		],
+		"version": "1.2.0",
+		"title": "Illumio OnPrem Health Workbook",
+		"templateRelativePath": "IllumioOnPremHealth.json",
+		"subtitle": "",
+		"provider": "Illumio"
+	},	
 	{
 		"workbookKey": "CEFOverview",
 		"logoFileName": "Azure_Sentinel.svg",