diff --git a/Solutions/Semperis Directory Services Protector/Data/Solution_Semperis.json b/Solutions/Semperis Directory Services Protector/Data/Solution_Semperis.json
index 373e704d018..8b077c0b76f 100644
--- a/Solutions/Semperis Directory Services Protector/Data/Solution_Semperis.json	
+++ b/Solutions/Semperis Directory Services Protector/Data/Solution_Semperis.json	
@@ -26,7 +26,7 @@
 		"Data Connectors/SemperisDSP-connector.json"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Semperis Directory Services Protector",
-	"Version": "3.0.2",
+	"Version": "3.0.3",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"Is1Pconnector": false
diff --git a/Solutions/Semperis Directory Services Protector/Package/mainTemplate.json b/Solutions/Semperis Directory Services Protector/Package/mainTemplate.json
index fd5019a36f9..3a187084321 100644
--- a/Solutions/Semperis Directory Services Protector/Package/mainTemplate.json	
+++ b/Solutions/Semperis Directory Services Protector/Package/mainTemplate.json	
@@ -63,7 +63,7 @@
   },
   "variables": {
     "_solutionName": "Semperis Directory Services Protector",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "semperis.directory-services-protector-solution",
     "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
@@ -175,7 +175,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSPADChanges Workbook with template version 3.0.2",
+        "description": "SemperisDSPADChanges Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -193,7 +193,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"84513d7a-7856-4e1d-81cb-47ac72d832cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d19d1b63-079c-45c0-98b8-f93d21843187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ChangeType\",\"label\":\" Change Type\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\":\\\"Add\\\", \\\"label\\\":\\\"Create\\\"},\\r\\n    {\\\"value\\\":\\\"Delete\\\", \\\"label\\\":\\\"Delete\\\"},    \\r\\n    {\\\"value\\\":\\\"Modify\\\", \\\"label\\\":\\\"Modify\\\"},    \\r\\n    {\\\"value\\\":\\\"Move\\\", \\\"label\\\":\\\"Move\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"8cf1ac5d-6b31-4ed9-9e88-313b36db2ae7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Class\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"eb342abf-cde4-4fdd-88f5-932fc719561e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AttributeName\",\"label\":\"Attribute Name\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"7e694221-97c0-43a6-acae-8a143a407e3c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectChanged\",\"label\":\"Object Changed\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceEventClassID == 'Semperis.DSP.AdChanges'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| parse column_ifexists('DistinguishedName', '') with * \\\"CN\\\\\\\\=\\\" cnName \\\",\\\" *\\r\\n| extend OriginatingTime=column_ifexists('OriginatingTime', '')\\r\\n| extend AttributeModificationType=column_ifexists('AttributeModificationType', '')\\r\\n| extend ClassName=column_ifexists('ClassName', '')\\r\\n| extend AttributeName=column_ifexists('AttributeName', '')\\r\\n| where isempty('{Time}') or (todatetime(OriginatingTime) >= todatetime('{Time:startISO}') and todatetime(OriginatingTime) <= todatetime('{Time:endISO}'))\\r\\n| where isempty('{ChangeType}') or (iif('{ChangeType}' == \\\"Delete\\\",indexof(AttributeModificationType,'{ChangeType}') > -1 or indexof(AttributeModificationType,'Remove') > -1,indexof(AttributeModificationType,'{ChangeType}') > -1))\\r\\n| where isempty('{Class}') or indexof(ClassName,'{Class}') > -1\\r\\n| where isempty('{AttributeName}') or indexof(AttributeName,'{AttributeName}') > -1\\r\\n| where isempty('{ObjectChanged}') or indexof(cnName,'{ObjectChanged}') > -1\\r\\n| project OriginatingTime, AttributeModificationType, AttributeName, cnName, ClassName, column_ifexists('DistinguishedName', ''), column_ifexists('LinkedValueDN', ''), column_ifexists('ObjectModificationType', ''),column_ifexists('OriginatingServer', ''),column_ifexists('OriginatingUserWorkstations', ''),column_ifexists('OriginatingUsers', ''),column_ifexists('PartitionNamingContext', ''),column_ifexists('StringValueFrom', ''),column_ifexists('StringValueTo', '')\",\"size\":0,\"title\":\"Semperis DSP AD Change\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"OriginatingTime\",\"label\":\"Originating Time\"},{\"columnId\":\"AttributeModificationType\",\"label\":\"Change Type\"},{\"columnId\":\"AttributeName\",\"label\":\"Attribute Name\"},{\"columnId\":\"cnName\",\"label\":\"CN\"},{\"columnId\":\"ClassName\",\"label\":\"Class\"},{\"columnId\":\"DistinguishedName\",\"label\":\"DN\"},{\"columnId\":\"LinkedValueDN\",\"label\":\"Linked Value DN\"},{\"columnId\":\"ObjectModificationType\",\"label\":\"Object Modification Type\"},{\"columnId\":\"OriginatingServer\",\"label\":\"Originating Server\"},{\"columnId\":\"OriginatingUserWorkstations\",\"label\":\"Originating Workstation\"},{\"columnId\":\"OriginatingUsers\",\"label\":\"Originating Identity\"},{\"columnId\":\"PartitionNamingContext\",\"label\":\"Partition\"},{\"columnId\":\"StringValueFrom\",\"label\":\"Value From\"},{\"columnId\":\"StringValueTo\",\"label\":\"Value To\"}]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-SemperisDSPADChanges\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"84513d7a-7856-4e1d-81cb-47ac72d832cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d19d1b63-079c-45c0-98b8-f93d21843187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ChangeType\",\"label\":\" Change Type\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\":\\\"Add\\\", \\\"label\\\":\\\"Create\\\"},\\r\\n    {\\\"value\\\":\\\"Delete\\\", \\\"label\\\":\\\"Delete\\\"},    \\r\\n    {\\\"value\\\":\\\"Modify\\\", \\\"label\\\":\\\"Modify\\\"},    \\r\\n    {\\\"value\\\":\\\"Move\\\", \\\"label\\\":\\\"Move\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"8cf1ac5d-6b31-4ed9-9e88-313b36db2ae7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Class\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"eb342abf-cde4-4fdd-88f5-932fc719561e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AttributeName\",\"label\":\"Attribute Name\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"7e694221-97c0-43a6-acae-8a143a407e3c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ObjectChanged\",\"label\":\"Object Changed\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvents \\r\\n| where DeviceEventClassID == 'Semperis.DSP.AdChanges'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| parse column_ifexists('DistinguishedName', '') with * \\\"CN\\\\\\\\=\\\" cnName \\\",\\\" *\\r\\n| extend OriginatingTime=column_ifexists('OriginatingTime', '')\\r\\n| extend AttributeModificationType=column_ifexists('AttributeModificationType', '')\\r\\n| extend ClassName=column_ifexists('ClassName', '')\\r\\n| extend AttributeName=column_ifexists('AttributeName', '')\\r\\n| where isempty('{Time}') or (todatetime(OriginatingTime) >= todatetime('{Time:startISO}') and todatetime(OriginatingTime) <= todatetime('{Time:endISO}'))\\r\\n| where isempty('{ChangeType}') or (iif('{ChangeType}' == \\\"Delete\\\",indexof(AttributeModificationType,'{ChangeType}') > -1 or indexof(AttributeModificationType,'Remove') > -1,indexof(AttributeModificationType,'{ChangeType}') > -1))\\r\\n| where isempty('{Class}') or indexof(ClassName,'{Class}') > -1\\r\\n| where isempty('{AttributeName}') or indexof(AttributeName,'{AttributeName}') > -1\\r\\n| where isempty('{ObjectChanged}') or indexof(cnName,'{ObjectChanged}') > -1\\r\\n| project OriginatingTime, AttributeModificationType, AttributeName, cnName, ClassName, column_ifexists('DistinguishedName', ''), column_ifexists('LinkedValueDN', ''), column_ifexists('ObjectModificationType', ''),column_ifexists('OriginatingServer', ''),column_ifexists('OriginatingUserWorkstations', ''),column_ifexists('OriginatingUsers', ''),column_ifexists('PartitionNamingContext', ''),column_ifexists('StringValueFrom', ''),column_ifexists('StringValueTo', '')\",\"size\":0,\"title\":\"Semperis DSP AD Change\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"OriginatingTime\",\"label\":\"Originating Time\"},{\"columnId\":\"AttributeModificationType\",\"label\":\"Change Type\"},{\"columnId\":\"AttributeName\",\"label\":\"Attribute Name\"},{\"columnId\":\"cnName\",\"label\":\"CN\"},{\"columnId\":\"ClassName\",\"label\":\"Class\"},{\"columnId\":\"DistinguishedName\",\"label\":\"DN\"},{\"columnId\":\"LinkedValueDN\",\"label\":\"Linked Value DN\"},{\"columnId\":\"ObjectModificationType\",\"label\":\"Object Modification Type\"},{\"columnId\":\"OriginatingServer\",\"label\":\"Originating Server\"},{\"columnId\":\"OriginatingUserWorkstations\",\"label\":\"Originating Workstation\"},{\"columnId\":\"OriginatingUsers\",\"label\":\"Originating Identity\"},{\"columnId\":\"PartitionNamingContext\",\"label\":\"Partition\"},{\"columnId\":\"StringValueFrom\",\"label\":\"Value From\"},{\"columnId\":\"StringValueTo\",\"label\":\"Value To\"}]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-SemperisDSPADChanges\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -261,7 +261,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSPNotifications Workbook with template version 3.0.2",
+        "description": "SemperisDSPNotifications Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -279,7 +279,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ce8b817-f1ac-44c1-9803-9c29fb852094\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b5012d54-1341-451b-8c19-2464dad7400d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleName\",\"label\":\"Rule Name\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"1e9c0aed-d257-4426-abd4-26d1f244705f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"Critical\\\", \\\"label\\\":\\\"Critical\\\" },\\r\\n    { \\\"value\\\":\\\"Warning\\\" , \\\"label\\\":\\\"Warning\\\" },\\r\\n    { \\\"value\\\":\\\"Informational\\\" , \\\"label\\\":\\\"Informational\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(SecurityEvent\\r\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\r\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\r\\n| mv-expand bagexpansion=array p1Xml\\r\\n| evaluate bag_unpack(p1Xml)\\r\\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\\r\\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\r\\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\\r\\n| union\\r\\n(CommonSecurityLog\\r\\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\\r\\n| where Activity == 'rule-alert'\\r\\n| where DeviceProduct == 'Core Directory'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\\r\\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \\\"Informational\\\", toint(Severity)==3 or toint(Severity)==4, \\\"Low\\\", toint(Severity)==5 or toint(Severity)==6, \\\"Medium\\\", toint(Severity)==7 or toint(Severity)==8, \\\"High\\\", toint(Severity)==9 or toint(Severity)==10, \\\"Critical\\\", \\\"\\\"))\\r\\n| where (isempty('{Time}') or (todatetime(TimeCreated) >= todatetime('{Time:startISO}') and todatetime(TimeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(RuleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or Severity == '{Severity}'))\\r\\n| order by TimeGenerated desc\\r\\n| project RuleName, Severity, DataSource, ObjectDN, TimeCreated, Operation, Attribute, Value, ChangedBy, Source\",\"size\":0,\"title\":\"Notifications\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"RuleName\",\"label\":\"Rule Name\"},{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"ObjectDN\",\"label\":\"Object DN\"},{\"columnId\":\"TimeCreated\",\"label\":\"Time Created\"},{\"columnId\":\"ChangedBy\",\"label\":\"Changed By\"}]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-SemperisDSPNotifications\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ce8b817-f1ac-44c1-9803-9c29fb852094\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b5012d54-1341-451b-8c19-2464dad7400d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleName\",\"label\":\"Rule Name\",\"type\":1,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"},{\"id\":\"1e9c0aed-d257-4426-abd4-26d1f244705f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"Critical\\\", \\\"label\\\":\\\"Critical\\\" },\\r\\n    { \\\"value\\\":\\\"Warning\\\" , \\\"label\\\":\\\"Warning\\\" },\\r\\n    { \\\"value\\\":\\\"Informational\\\" , \\\"label\\\":\\\"Informational\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(Events\\r\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\r\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\r\\n| mv-expand bagexpansion=array p1Xml\\r\\n| evaluate bag_unpack(p1Xml)\\r\\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\\r\\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\r\\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\\r\\n| union\\r\\n(SecurityEvents\\r\\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\\r\\n| where Activity == 'rule-alert'\\r\\n| where DeviceProduct == 'Core Directory'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\\r\\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \\\"Informational\\\", toint(Severity)==3 or toint(Severity)==4, \\\"Low\\\", toint(Severity)==5 or toint(Severity)==6, \\\"Medium\\\", toint(Severity)==7 or toint(Severity)==8, \\\"High\\\", toint(Severity)==9 or toint(Severity)==10, \\\"Critical\\\", \\\"\\\"))\\r\\n| where (isempty('{Time}') or (todatetime(TimeCreated) >= todatetime('{Time:startISO}') and todatetime(TimeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(RuleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or Severity == '{Severity}'))\\r\\n| order by TimeGenerated desc\\r\\n| project RuleName, Severity, DataSource, ObjectDN, TimeCreated, Operation, Attribute, Value, ChangedBy, Source\",\"size\":0,\"title\":\"Notifications\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"RuleName\",\"label\":\"Rule Name\"},{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"ObjectDN\",\"label\":\"Object DN\"},{\"columnId\":\"TimeCreated\",\"label\":\"Time Created\"},{\"columnId\":\"ChangedBy\",\"label\":\"Changed By\"}]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-SemperisDSPNotifications\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -347,7 +347,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSPQuickviewDashboard Workbook with template version 3.0.2",
+        "description": "SemperisDSPQuickviewDashboard Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -365,7 +365,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let day_names =dynamic([\\\"Sunday\\\",\\\"Monday\\\",\\\"Tuesday\\\",\\\"Wednesday\\\",\\\"Thursday\\\",\\\"Friday\\\",\\\"Saturday\\\"]);\\nlet averageData = view() {  CommonSecurityLog \\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| where TimeGenerated > datetime(2000-01-01)\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\\\"Average Daily Change\\\"\\n| order by Day asc};\\nlet weeklyData = view() {  CommonSecurityLog \\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| where TimeGenerated > startofweek(now())\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\\\"Daily Change\\\"\\n| order by Day asc };\\nunion withsource=TableName averageData,weeklyData\\n| order by Day asc, SortData asc\\n| project Average_Count,Day,TableName,SortData,Days=tostring(day_names[indexof('00010203040506', format_timespan(Day,'dd'))/2])\\n| render barchart with (kind=unstacked)\\n\\n\",\"size\":0,\"title\":\"Weekly Active Directory Change Count\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"xAxis\":\"Days\",\"seriesLabelSettings\":[{\"seriesName\":\"averageData\",\"label\":\"Average Daily Change\",\"color\":\"gray\"},{\"seriesName\":\"weeklyData\",\"label\":\"Daily Change\",\"color\":\"orange\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Average_Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Average_Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Average_Count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20000\\n| sort by TimeGenerated desc \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details = column_ifexists('details', '')\\n| parse details with * \\\"Trustee Name: \\\" TrusteeName \\\" Correlation ID: \\\" * \\\" Source: \\\" HostIP \\\":\\\" * \\\" Target\\\" *\\n| extend host = tostring(HostIP)\\n| project TimeGenerated, TrusteeName, HostIP\\n| order by TimeGenerated desc\\n| top 10 by TimeGenerated\",\"size\":1,\"title\":\"Successful Logons\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time Generated\"}]}},\"customWidth\":\"55\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == 'Semperis-Operation-Log' and ( EventID == 20000 or EventID == 20002 )\\n| sort by TimeGenerated desc \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details = column_ifexists('details', ''), accessGrated = column_ifexists('accessGrated', '')\\n| parse details with * \\\"Trustee Name: \\\" TrusteeName \\\" Correlation ID: \\\" * \\\" Source: \\\" HostIP \\\":\\\" * \\\" Target\\\" *\\n| extend host = tostring(HostIP)\\n| where isnotempty(accessGrated)\\n| summarize Count=count() by accessGrated\\n\",\"size\":1,\"title\":\"DSP Logins\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\" TRUE  \",\"color\":\"green\"},{\"seriesName\":\" FALSE  \",\"color\":\"redBright\"},{\"color\":\"red\"}]}},\"customWidth\":\"45\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(SecurityEvent\\r\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\r\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\r\\n| mv-expand bagexpansion=array p1Xml\\r\\n| evaluate bag_unpack(p1Xml)\\r\\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\\r\\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\r\\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\\r\\n| union\\r\\n(CommonSecurityLog \\r\\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\\r\\n| where DeviceProduct == 'Core Directory'\\r\\n| where Activity == 'rule-alert'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\\r\\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \\\"Informational\\\", toint(Severity)==3 or toint(Severity)==4, \\\"Low\\\", toint(Severity)==5 or toint(Severity)==6, \\\"Medium\\\", toint(Severity)==7 or toint(Severity)==8, \\\"High\\\", toint(Severity)==9 or toint(Severity)==10, \\\"Critical\\\", \\\"\\\"))\\r\\n| order by TimeGenerated desc\\r\\n| project RuleName, Severity, Operation, Attribute, Value, ChangedBy, Source\\r\\n\",\"size\":0,\"title\":\"Notifications\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"labelSettings\":[{\"columnId\":\"RuleName\",\"label\":\"Rule Name\"},{\"columnId\":\"ChangedBy\",\"label\":\"Changed By\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20012\\n| sort by TimeGenerated desc\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details=column_ifexists(tostring('details'), '')\\n| parse details with \\\"Occured at (UTC): \\\" OccurredAt \\\"Session ID: \\\" SessionID \\\"Trustee Name: \\\" TrusteeName \\\"Correlation ID: \\\" CorrelationID \\\"Source: \\\" Source \\\"WebSite Target: \\\" WebSiteTarget \\\"Product: \\\" Product \\\"Component: \\\" Component \\\"AD Information: \\\" ADInformation \\\"Object GUID: \\\" ObjectGUID \\\"Attribute: \\\" Attribute \\\"Distinguished Name: \\\" DistinguishedName \\\"Additional Information: \\\"AdditionalInformation \\\"Operation Detail: \\\" OperationDetail \\\"operationName: \\\" operationName \\\"trustee: \\\" trustee \\\"personas: \\\" personas \\\"Status: \\\" status \\\"Granted: \\\" Granted \\\"Result: \\\" Result\\n| where isnotempty(operationName)\\n| extend _AccessGranted = iif(operationName contains \\\"CreateRbacIdentity\\\", \\\"Added\\\", \\\"Removed\\\")\\n| extend _Identity = iif(operationName contains \\\"CreateRbacIdentity\\\", trustee, tostring(substring(trustee,1,strlen(trustee))))\\n| extend _Identity = iif(operationName contains \\\"CreateRbacIdentity\\\", _Identity, replace_string(_Identity,\\\"'\\\",\\\"\\\"))\\n| extend add_personas = replace_string(replace_string(replace_string(personas,\\\"{ Name = \\\",\\\"\\\"),\\\" }\\\",\\\"\\\"),\\\";\\\",\\\",\\\")\\n| extend remove_personas = replace_string(personas,\\\";\\\",\\\",\\\")\\n| extend grid_personas = iif(operationName contains \\\"CreateRbacIdentity\\\", add_personas, remove_personas)\\n| extend date_to_sort = format_datetime(TimeGenerated,\\\"yyyy-mm-dd   HH:mm:ss\\\")\\n| order by date_to_sort desc\\n| project TrusteeName, _Identity, _AccessGranted, grid_personas, TimeGenerated\\n\\n\\n\",\"size\":1,\"title\":\"Role Based Access Control Changes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TrusteeName\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"TrusteeName\",\"label\":\"Changed By\"},{\"columnId\":\"_Identity\",\"label\":\"Identity\"},{\"columnId\":\"_AccessGranted\",\"label\":\"Access Granted\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Timestamp\"}]},\"sortBy\":[{\"itemKey\":\"TrusteeName\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity)\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize ChangedCount = count() by tostring(OriginatingUsers)\\n| project replace_string(OriginatingUsers,'\\\\\\\\\\\\\\\\','/'), ChangedCount, OriginatingUsers, \\\"Details\\\"\\n| order by ChangedCount desc\\n| top 5 by ChangedCount\",\"size\":1,\"title\":\"Top 5 Identities Making Changes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OriginatingUsers\",\"formatter\":5},{\"columnMatch\":\"Column2\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"WorkbookTemplate\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"workbook\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"OriginatingUsers\",\"source\":\"column\",\"value\":\"Column1\"}]}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Originating Identity\",\"formatter\":1},{\"columnMatch\":\"Group\",\"formatter\":1}],\"labelSettings\":[{\"columnId\":\"Column1\",\"label\":\"Originating Identity\"},{\"columnId\":\"ChangedCount\",\"label\":\"Number of Changes\"},{\"columnId\":\"Column2\",\"label\":\" \"}]}},\"customWidth\":\"35\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| extend DistinguishedName = column_ifexists('DistinguishedName', '')\\n| where isnotempty(DistinguishedName)\\n| parse DistinguishedName with * \\\"CN=\\\" cnName \\\",\\\" *\\n| parse DistinguishedName with * \\\"DC=\\\" dcName \\\",\\\" *\\n| where ClassName != \\\"dnsNode\\\"\\n| summarize ChangedCount=count() by cnName\\n| project cnName, ChangedCount, \\\"Details\\\"\\n| order by ChangedCount desc\\n| top 5 by ChangedCount\\n\",\"size\":3,\"title\":\"Top 5 Objects Changed\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Column1\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"WorkbookTemplate\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"cName\",\"source\":\"column\",\"value\":\"cnName\"}]}}}],\"labelSettings\":[{\"columnId\":\"cnName\",\"label\":\"Object Changed\"}]}},\"customWidth\":\"35\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Key1=tostring(column_ifexists('@Name', '')), Value=column_ifexists('#text', '')\\n| evaluate pivot(Key1, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend fullOperation=column_ifexists('fullOperation', '')\\n| summarize Count=count() by tostring(fullOperation)\\n\\n\",\"size\":1,\"title\":\"AD Change Types\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"fullOperation\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"fullOperation\",\"label\":\"Activity\"}]},\"sortBy\":[{\"itemKey\":\"fullOperation\",\"sortOrder\":1}]},\"customWidth\":\"30\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| parse DistinguishedName with * \\\"CN\\\\\\\\=\\\" cnName \\\",\\\" *\\n| parse DistinguishedName with * \\\"DC\\\\\\\\=\\\" dcName \\\",\\\" *\\n| where ClassName == 'group'\\n| project AttributeModificationType,cnName,OriginatingTime,replace_string(OriginatingUsers,\\\"\\\\\\\\\\\\\\\\\\\",\\\"\\\\\\\\\\\"),StringValueFrom,StringValueTo\\n\",\"size\":0,\"title\":\"Builtin Group Changes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Column1\",\"formatter\":1,\"formatOptions\":{\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"cName\",\"source\":\"column\",\"value\":\"cnName\"}]}}}],\"rowLimit\":10000,\"labelSettings\":[{\"columnId\":\"AttributeModificationType\",\"label\":\"Attribute Modification Type\"},{\"columnId\":\"cnName\",\"label\":\"Object Changed\"},{\"columnId\":\"OriginatingTime\",\"label\":\"Originating Time\"},{\"columnId\":\"StringValueFrom\",\"label\":\"Value From\"},{\"columnId\":\"StringValueTo\",\"label\":\"Value To\"}]}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == \\\"Semperis-DSP-Security\\\"\\n| where EventID in (\\\"9211\\\", \\\"9212\\\", \\\"9208\\\")\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityIndicatorName=column_ifexists(tostring('securityIndicatorName'), '')\\n| extend isProblem = iif(result == \\\"Failed\\\", true, false)\\n| where isnotnull(numberOfResults) and isProblem == true\\n| order by tostring(securityIndicatorName)\\n| summarize Count=count() by tostring(securityIndicatorName)\\n| top 5 by Count\\n\\n\",\"size\":1,\"title\":\"Top 5 Failed Security Indicators\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"yAxis\":[\"Count\"],\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n| where EventSourceName == \\\"Semperis-DSP-Security\\\"\\n| where EventID in (\\\"9211\\\", \\\"9212\\\", \\\"9208\\\")\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityFrameworkTags=column_ifexists(tostring('securityFrameworkTags'), '')\\n| extend isProblem = iif(result == \\\"Failed\\\", true, false)\\n| where isnotnull(numberOfResults) and isProblem == true\\n| summarize Count=count() by tostring(securityFrameworkTags)\\n\\n\",\"size\":0,\"title\":\"Amount of Generated Events per Category\",\"timeContext\":{\"durationMs\":14400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"yAxis\":[\"Count\"],\"showLegend\":true}},\"name\":\"query - 2\"}],\"styleSettings\":{\"paddingStyle\":\"wide\",\"spacingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-SemperisDSPQuickviewDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"83787f1b-6573-47c6-8def-36bceb9a8afe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\" Specify the time range on which to query the data\",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let day_names =dynamic([\\\"Sunday\\\",\\\"Monday\\\",\\\"Tuesday\\\",\\\"Wednesday\\\",\\\"Thursday\\\",\\\"Friday\\\",\\\"Saturday\\\"]);\\nlet averageData = view() {  Events \\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| where TimeGenerated > datetime(2000-01-01)\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\\\"Average Daily Change\\\"\\n| order by Day asc};\\nlet weeklyData = view() {  Events \\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| where TimeGenerated > startofweek(now())\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\\\"Daily Change\\\"\\n| order by Day asc };\\nunion withsource=TableName averageData,weeklyData\\n| order by Day asc, SortData asc\\n| project Average_Count,Day,TableName,SortData,Days=tostring(day_names[indexof('00010203040506', format_timespan(Day,'dd'))/2])\\n| render barchart with (kind=unstacked)\\n\\n\",\"size\":0,\"title\":\"Weekly Active Directory Change Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"xAxis\":\"Days\",\"seriesLabelSettings\":[{\"seriesName\":\"averageData\",\"label\":\"Average Daily Change\",\"color\":\"gray\"},{\"seriesName\":\"weeklyData\",\"label\":\"Daily Change\",\"color\":\"orange\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Average_Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Average_Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Average_Count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20000\\n| sort by TimeGenerated desc \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details = column_ifexists('details', '')\\n| parse details with * \\\"Trustee Name: \\\" TrusteeName \\\" Correlation ID: \\\" * \\\" Source: \\\" HostIP \\\":\\\" * \\\" Target\\\" *\\n| extend host = tostring(HostIP)\\n| project TimeGenerated, TrusteeName, HostIP\\n| order by TimeGenerated desc\\n| top 10 by TimeGenerated\",\"size\":1,\"title\":\"Successful Logons\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time Generated\"}]}},\"customWidth\":\"55\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| where EventSourceName == 'Semperis-Operation-Log' and ( EventID == 20000 or EventID == 20002 )\\n| sort by TimeGenerated desc \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details = column_ifexists('details', ''), accessGrated = column_ifexists('accessGrated', '')\\n| parse details with * \\\"Trustee Name: \\\" TrusteeName \\\" Correlation ID: \\\" * \\\" Source: \\\" HostIP \\\":\\\" * \\\" Target\\\" *\\n| extend host = tostring(HostIP)\\n| where isnotempty(accessGrated)\\n| summarize Count=count() by accessGrated\\n\",\"size\":1,\"title\":\"DSP Logins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\" TRUE  \",\"color\":\"green\"},{\"seriesName\":\" FALSE  \",\"color\":\"redBright\"},{\"color\":\"red\"}]}},\"customWidth\":\"45\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(Events\\r\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\r\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\r\\n| mv-expand bagexpansion=array p1Xml\\r\\n| evaluate bag_unpack(p1Xml)\\r\\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\\r\\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\r\\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\\r\\n| union\\r\\n(SecurityEvents \\r\\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\\r\\n| where DeviceProduct == 'Core Directory'\\r\\n| where Activity == 'rule-alert'\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\r\\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\\r\\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \\\"Informational\\\", toint(Severity)==3 or toint(Severity)==4, \\\"Low\\\", toint(Severity)==5 or toint(Severity)==6, \\\"Medium\\\", toint(Severity)==7 or toint(Severity)==8, \\\"High\\\", toint(Severity)==9 or toint(Severity)==10, \\\"Critical\\\", \\\"\\\"))\\r\\n| order by TimeGenerated desc\\r\\n| project RuleName, Severity, Operation, Attribute, Value, ChangedBy, Source\\r\\n\",\"size\":0,\"title\":\"Notifications\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"labelSettings\":[{\"columnId\":\"RuleName\",\"label\":\"Rule Name\"},{\"columnId\":\"ChangedBy\",\"label\":\"Changed By\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20012\\n| sort by TimeGenerated desc\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend details=column_ifexists(tostring('details'), '')\\n| parse details with \\\"Occured at (UTC): \\\" OccurredAt \\\"Session ID: \\\" SessionID \\\"Trustee Name: \\\" TrusteeName \\\"Correlation ID: \\\" CorrelationID \\\"Source: \\\" Source \\\"WebSite Target: \\\" WebSiteTarget \\\"Product: \\\" Product \\\"Component: \\\" Component \\\"AD Information: \\\" ADInformation \\\"Object GUID: \\\" ObjectGUID \\\"Attribute: \\\" Attribute \\\"Distinguished Name: \\\" DistinguishedName \\\"Additional Information: \\\"AdditionalInformation \\\"Operation Detail: \\\" OperationDetail \\\"operationName: \\\" operationName \\\"trustee: \\\" trustee \\\"personas: \\\" personas \\\"Status: \\\" status \\\"Granted: \\\" Granted \\\"Result: \\\" Result\\n| where isnotempty(operationName)\\n| extend _AccessGranted = iif(operationName contains \\\"CreateRbacIdentity\\\", \\\"Added\\\", \\\"Removed\\\")\\n| extend _Identity = iif(operationName contains \\\"CreateRbacIdentity\\\", trustee, tostring(substring(trustee,1,strlen(trustee))))\\n| extend _Identity = iif(operationName contains \\\"CreateRbacIdentity\\\", _Identity, replace_string(_Identity,\\\"'\\\",\\\"\\\"))\\n| extend add_personas = replace_string(replace_string(replace_string(personas,\\\"{ Name = \\\",\\\"\\\"),\\\" }\\\",\\\"\\\"),\\\";\\\",\\\",\\\")\\n| extend remove_personas = replace_string(personas,\\\";\\\",\\\",\\\")\\n| extend grid_personas = iif(operationName contains \\\"CreateRbacIdentity\\\", add_personas, remove_personas)\\n| extend date_to_sort = format_datetime(TimeGenerated,\\\"yyyy-mm-dd   HH:mm:ss\\\")\\n| order by date_to_sort desc\\n| project TrusteeName, _Identity, _AccessGranted, grid_personas, TimeGenerated\\n\\n\\n\",\"size\":1,\"title\":\"Role Based Access Control Changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TrusteeName\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"TrusteeName\",\"label\":\"Changed By\"},{\"columnId\":\"_Identity\",\"label\":\"Identity\"},{\"columnId\":\"_AccessGranted\",\"label\":\"Access Granted\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Timestamp\"}]},\"sortBy\":[{\"itemKey\":\"TrusteeName\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity)\\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \\\"\\\"\\n| summarize ChangedCount = count() by tostring(OriginatingUsers)\\n| project replace_string(OriginatingUsers,'\\\\\\\\\\\\\\\\','/'), ChangedCount, OriginatingUsers, \\\"Details\\\"\\n| order by ChangedCount desc\\n| top 5 by ChangedCount\",\"size\":1,\"title\":\"Top 5 Identities Making Changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OriginatingUsers\",\"formatter\":5},{\"columnMatch\":\"Column2\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"WorkbookTemplate\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"workbook\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"OriginatingUsers\",\"source\":\"column\",\"value\":\"Column1\"}]}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Originating Identity\",\"formatter\":1},{\"columnMatch\":\"Group\",\"formatter\":1}],\"labelSettings\":[{\"columnId\":\"Column1\",\"label\":\"Originating Identity\"},{\"columnId\":\"ChangedCount\",\"label\":\"Number of Changes\"},{\"columnId\":\"Column2\",\"label\":\" \"}]}},\"customWidth\":\"35\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| extend DistinguishedName = column_ifexists('DistinguishedName', '')\\n| where isnotempty(DistinguishedName)\\n| parse DistinguishedName with * \\\"CN=\\\" cnName \\\",\\\" *\\n| parse DistinguishedName with * \\\"DC=\\\" dcName \\\",\\\" *\\n| where ClassName != \\\"dnsNode\\\"\\n| summarize ChangedCount=count() by cnName\\n| project cnName, ChangedCount, \\\"Details\\\"\\n| order by ChangedCount desc\\n| top 5 by ChangedCount\\n\",\"size\":3,\"title\":\"Top 5 Objects Changed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Column1\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"WorkbookTemplate\",\"linkIsContextBlade\":true,\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"cName\",\"source\":\"column\",\"value\":\"cnName\"}]}}}],\"labelSettings\":[{\"columnId\":\"cnName\",\"label\":\"Object Changed\"}]}},\"customWidth\":\"35\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Events\\n| where EventSourceName == 'Semperis-DSP-Notifications' \\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Key1=tostring(column_ifexists('@Name', '')), Value=column_ifexists('#text', '')\\n| evaluate pivot(Key1, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend fullOperation=column_ifexists('fullOperation', '')\\n| summarize Count=count() by tostring(fullOperation)\\n\\n\",\"size\":1,\"title\":\"AD Change Types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"fullOperation\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"fullOperation\",\"label\":\"Activity\"}]},\"sortBy\":[{\"itemKey\":\"fullOperation\",\"sortOrder\":1}]},\"customWidth\":\"30\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvents\\n| extend p1Array = split(AdditionalExtensions,\\\";\\\")\\n| mv-expand bagexpansion=array p1Array\\n| evaluate bag_unpack(p1Array)\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\\n| parse DistinguishedName with * \\\"CN\\\\\\\\=\\\" cnName \\\",\\\" *\\n| parse DistinguishedName with * \\\"DC\\\\\\\\=\\\" dcName \\\",\\\" *\\n| where ClassName == 'group'\\n| project AttributeModificationType,cnName,OriginatingTime,replace_string(OriginatingUsers,\\\"\\\\\\\\\\\\\\\\\\\",\\\"\\\\\\\\\\\"),StringValueFrom,StringValueTo\\n\",\"size\":0,\"title\":\"Builtin Group Changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Column1\",\"formatter\":1,\"formatOptions\":{\"workbookContext\":{\"componentIdSource\":\"workbook\",\"resourceIdsSource\":\"workbook\",\"typeSource\":\"workbook\",\"gallerySource\":\"workbook\",\"locationSource\":\"default\",\"passSpecificParams\":true,\"templateParameters\":[{\"name\":\"cName\",\"source\":\"column\",\"value\":\"cnName\"}]}}}],\"rowLimit\":10000,\"labelSettings\":[{\"columnId\":\"AttributeModificationType\",\"label\":\"Attribute Modification Type\"},{\"columnId\":\"cnName\",\"label\":\"Object Changed\"},{\"columnId\":\"OriginatingTime\",\"label\":\"Originating Time\"},{\"columnId\":\"StringValueFrom\",\"label\":\"Value From\"},{\"columnId\":\"StringValueTo\",\"label\":\"Value To\"}]}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvents\\n| where EventSourceName == \\\"Semperis-DSP-Security\\\"\\n| where EventID in (\\\"9211\\\", \\\"9212\\\", \\\"9208\\\")\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityIndicatorName=column_ifexists(tostring('securityIndicatorName'), '')\\n| extend isProblem = iif(result == \\\"Failed\\\", true, false)\\n| where isnotnull(numberOfResults) and isProblem == true\\n| order by tostring(securityIndicatorName)\\n| summarize Count=count() by tostring(securityIndicatorName)\\n| top 5 by Count\\n\\n\",\"size\":1,\"title\":\"Top 5 Failed Security Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"yAxis\":[\"Count\"],\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvents\\n| where EventSourceName == \\\"Semperis-DSP-Security\\\"\\n| where EventID in (\\\"9211\\\", \\\"9212\\\", \\\"9208\\\")\\n| extend p1Xml = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array p1Xml\\n| evaluate bag_unpack(p1Xml)\\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityFrameworkTags=column_ifexists(tostring('securityFrameworkTags'), '')\\n| extend isProblem = iif(result == \\\"Failed\\\", true, false)\\n| where isnotnull(numberOfResults) and isProblem == true\\n| summarize Count=count() by tostring(securityFrameworkTags)\\n\\n\",\"size\":0,\"title\":\"Amount of Generated Events per Category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"yAxis\":[\"Count\"],\"showLegend\":true}},\"name\":\"query - 2\"}],\"fallbackResourceIds\":[\"/subscriptions/20d762c7-7b9b-41b2-ab45-62d7fa96ddbe/resourcegroups/Semperis-Testing-RG\"],\"styleSettings\":{\"paddingStyle\":\"wide\",\"spacingStyle\":\"wide\"},\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -433,7 +433,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSPSecurityIndicators Workbook with template version 3.0.2",
+        "description": "SemperisDSPSecurityIndicators Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion4')]",
@@ -451,7 +451,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook4-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Semperis Directory Services Protector\\r\\n\\r\\n**Semperis Directory Services Protector** (DSP) provides valuable insight into your Active Directory security posture. It queries your Active Directory environment and performs a set of tests against many aspects of Active Directory's security posture, including AD Delegation, Account security, AD Infrastructure security, Group Policy security, and Kerberos security.\\r\\n\\r\\nEach security indicator is mapped to MITRE ATT&CK® framework categories, explains what was evaluated, and indicates how likely an exposure will compromise Active Directory. \\r\\n\\r\\nEach IoE found highlights weak Active Directory configurations and provides actionable guidance on how to close gaps before they are exploited by attackers. Using this workbook, you can determine how you are doing from a security perspective, compared to best practice environments.\\r\\n\\r\\nIn case of security regressions, Semperis Directory Services Protector will trigger alerts through Microsoft Sentinel.\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"# Security Indicators mapped to MITRE ATT&CK® Framework Categories:\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"83787f1b-6573-47c6-8def-36bceb9a8afe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\" Specify the time range on which to query the data\",\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d46aac4d-bcb8-4dbf-a331-3a3538226bc3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MitreFramework\",\"label\":\"MITRE ATT&CK Framework\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags))\\r\\n| union (CommonSecurityLog\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\\r\\n| extend SecurityIndicatorName = column_ifexists('Name', '')\\r\\n| where isnotempty(SecurityIndicatorName)\\r\\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\\r\\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags)))| mv-expand bagexpansion=array parse_csv(SecurityFrameworkTagsCsv) to typeof(string)\\r\\n| summarize Count = count() by SecurityFrameworkTagsCsv\\r\\n| order by Count desc, SecurityFrameworkTagsCsv asc\\r\\n| project Value = SecurityFrameworkTagsCsv, Label = strcat(SecurityFrameworkTagsCsv)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf84c455-c1b9-4785-a592-54834be54097\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(Result))\\r\\n| union (CommonSecurityLog | extend p1Array = split(AdditionalExtensions,\\\"|\\\")| mv-expand bagexpansion=array p1Array| evaluate bag_unpack(p1Array)| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)| evaluate pivot(Name, any(Value))| extend SecurityIndicatorName = column_ifexists('Name', '')| where isnotempty(SecurityIndicatorName)| extend Result = \\\"Attack detected\\\")| summarize Count = count() by tostring(Result)\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| extend Result = Result\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend Targets = iff(isempty(Targets), 'AD', Targets))\\r\\n| union \\r\\n(CommonSecurityLog \\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\\r\\n| extend SecurityIndicatorName = column_ifexists('Name', '')\\r\\n| where isnotempty(SecurityIndicatorName)\\r\\n| extend Targets = \\\"AD\\\"\\r\\n| extend Severity = column_ifexists('LogSeverity', '')\\r\\n| extend Score = column_ifexists('PercentageScore', '0')\\r\\n| extend FirstFound = column_ifexists('Timestamp', '')\\r\\n| extend Result = \\\"Attack detected\\\"\\r\\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\\r\\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)) \\r\\n| where Result in ({Status})\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityIndicatorName), tostring(Targets), tostring(Severity), tostring(Score), tostring(FirstFound), tostring(Result), tostring(SecurityFrameworkTags)\\r\\n| order by Count\",\"size\":0,\"title\":\"Indicators Details:\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Severity\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"FirstFound\",\"label\":\"Latest alert\"},{\"columnId\":\"SecurityFrameworkTags\",\"label\":\"Security framework tags\"},{\"columnId\":\"SecurityIndicatorName\",\"label\":\"Security Indicator\"}]},\"sortBy\":[{\"itemKey\":\"Severity\",\"sortOrder\":1}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"securityIndicatorName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Requests = count() by tostring(SecurityIndicatorName)\\r\\n| order by Requests\\r\\n\",\"size\":3,\"title\":\"Breakdown by Indicators of Exposure (IoEs)\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SecurityIndicatorName\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Requests\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"size\":\"auto\"},\"chartSettings\":{\"group\":\"securityIndicatorName\",\"createOtherGroup\":10,\"showMetrics\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Requests\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Requests\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Requests\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| mv-expand bagexpansion=array SecurityFrameworkTagList to typeof(string)\\r\\n| where SecurityFrameworkTagList in ({MitreFramework})\\r\\n| summarize event_count=count() by SecurityFrameworkTagList\\r\\n\",\"size\":0,\"title\":\"Amount of Generated Events per Category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"securityFrameworkTags\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityIndicatorName)\\r\\n| top 10 by Count desc\",\"size\":3,\"title\":\"Top 10 Indicators of Exposure (IoEs)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"SecurityIndicatorName\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityFrameworkTags), tostring(SecurityIndicatorName), tostring(Remediation)\\r\\n| top 10 by Count desc\\r\\n| project-away Count\",\"size\":0,\"title\":\"Top 10 Indicators of Exposure (IoEs) Details:\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"60\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-SemperisDSPSecurityIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Semperis Directory Services Protector\\r\\n\\r\\n**Semperis Directory Services Protector** (DSP) provides valuable insight into your Active Directory security posture. It queries your Active Directory environment and performs a set of tests against many aspects of Active Directory's security posture, including AD Delegation, Account security, AD Infrastructure security, Group Policy security, and Kerberos security.\\r\\n\\r\\nEach security indicator is mapped to MITRE ATT&CK® framework categories, explains what was evaluated, and indicates how likely an exposure will compromise Active Directory. \\r\\n\\r\\nEach IoE found highlights weak Active Directory configurations and provides actionable guidance on how to close gaps before they are exploited by attackers. Using this workbook, you can determine how you are doing from a security perspective, compared to best practice environments.\\r\\n\\r\\nIn case of security regressions, Semperis Directory Services Protector will trigger alerts through Microsoft Sentinel.\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"# Security Indicators mapped to MITRE ATT&CK® Framework Categories:\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"83787f1b-6573-47c6-8def-36bceb9a8afe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\" Specify the time range on which to query the data\",\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d46aac4d-bcb8-4dbf-a331-3a3538226bc3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MitreFramework\",\"label\":\"MITRE ATT&CK Framework\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags))\\r\\n| union (SecurityEvents\\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\\r\\n| extend SecurityIndicatorName = column_ifexists('Name', '')\\r\\n| where isnotempty(SecurityIndicatorName)\\r\\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\\r\\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags)))| mv-expand bagexpansion=array parse_csv(SecurityFrameworkTagsCsv) to typeof(string)\\r\\n| summarize Count = count() by SecurityFrameworkTagsCsv\\r\\n| order by Count desc, SecurityFrameworkTagsCsv asc\\r\\n| project Value = SecurityFrameworkTagsCsv, Label = strcat(SecurityFrameworkTagsCsv)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf84c455-c1b9-4785-a592-54834be54097\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(Result))\\r\\n| union (SecurityEvents | extend p1Array = split(AdditionalExtensions,\\\"|\\\")| mv-expand bagexpansion=array p1Array| evaluate bag_unpack(p1Array)| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)| evaluate pivot(Name, any(Value))| extend SecurityIndicatorName = column_ifexists('Name', '')| where isnotempty(SecurityIndicatorName)| extend Result = \\\"Attack detected\\\")| summarize Count = count() by tostring(Result)\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| extend Result = Result\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend Targets = iff(isempty(Targets), 'AD', Targets))\\r\\n| union \\r\\n(SecurityEvents \\r\\n| extend p1Array = split(AdditionalExtensions,\\\"|\\\")\\r\\n| mv-expand bagexpansion=array p1Array\\r\\n| evaluate bag_unpack(p1Array)\\r\\n| extend Name=tostring(split(p1Array,\\\"=\\\")[0]),Value=substring(p1Array,indexof(p1Array,\\\"=\\\")+1)\\r\\n| extend Value=replace_string(Value, \\\";\\\", \\\" \\\")\\r\\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\\r\\n| extend SecurityIndicatorName = column_ifexists('Name', '')\\r\\n| where isnotempty(SecurityIndicatorName)\\r\\n| extend Targets = \\\"AD\\\"\\r\\n| extend Severity = column_ifexists('LogSeverity', '')\\r\\n| extend Score = column_ifexists('PercentageScore', '0')\\r\\n| extend FirstFound = column_ifexists('Timestamp', '')\\r\\n| extend Result = \\\"Attack detected\\\"\\r\\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\\r\\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)) \\r\\n| where Result in ({Status})\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityIndicatorName), tostring(Targets), tostring(Severity), tostring(Score), tostring(FirstFound), tostring(Result), tostring(SecurityFrameworkTags)\\r\\n| order by Count\",\"size\":0,\"title\":\"Indicators Details:\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Severity\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"FirstFound\",\"label\":\"Latest alert\"},{\"columnId\":\"SecurityFrameworkTags\",\"label\":\"Security framework tags\"},{\"columnId\":\"SecurityIndicatorName\",\"label\":\"Security Indicator\"}]},\"sortBy\":[{\"itemKey\":\"Severity\",\"sortOrder\":1}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"securityIndicatorName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Requests = count() by tostring(SecurityIndicatorName)\\r\\n| order by Requests\\r\\n\",\"size\":3,\"title\":\"Breakdown by Indicators of Exposure (IoEs)\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SecurityIndicatorName\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Requests\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"size\":\"auto\"},\"chartSettings\":{\"group\":\"securityIndicatorName\",\"createOtherGroup\":10,\"showMetrics\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Requests\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Requests\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Requests\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| mv-expand bagexpansion=array SecurityFrameworkTagList to typeof(string)\\r\\n| where SecurityFrameworkTagList in ({MitreFramework})\\r\\n| summarize event_count=count() by SecurityFrameworkTagList\\r\\n\",\"size\":0,\"title\":\"Amount of Generated Events per Category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"securityFrameworkTags\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityIndicatorName)\\r\\n| top 10 by Count desc\",\"size\":3,\"title\":\"Top 10 Indicators of Exposure (IoEs)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"SecurityIndicatorName\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"dsp_parser\\r\\n| where isnotempty(SecurityFrameworkTags) \\r\\n| where Result in ({Status})\\r\\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\\r\\n| extend MitreFramework = pack_array({MitreFramework})\\r\\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\\r\\n| extend FilterIntersectionCount = array_length(FilterIntersection)\\r\\n| where FilterIntersectionCount > 0\\r\\n| summarize Count = count() by tostring(SecurityFrameworkTags), tostring(SecurityIndicatorName), tostring(Remediation)\\r\\n| top 10 by Count desc\\r\\n| project-away Count\",\"size\":0,\"title\":\"Top 10 Indicators of Exposure (IoEs) Details:\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"60\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-SemperisDSPSecurityIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -519,7 +519,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "dsp_parser Data Parser with template version 3.0.2",
+        "description": "dsp_parser Data Parser with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -528,7 +528,7 @@
           "resources": [
             {
               "name": "[variables('parserObject1')._parserName1]",
-              "apiVersion": "2022-10-01",
+              "apiVersion": "2025-07-01",
               "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -536,7 +536,7 @@
                 "displayName": "Parser for dsp_parser",
                 "category": "Microsoft Sentinel Parser",
                 "functionAlias": "dsp_parser",
-                "query": "SecurityEvent\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| parse EventData with \n    '<EventData ' * '>' DSPData '</EventData>'\n| parse DSPData with \n    *\n    '<Data Name=\"firstFound\">' FirstFound '</Data>'\n    * \n| parse DSPData with \n    *\n    '<Data Name=\"generationTime\">' GenerationTime '</Data>'\t*\n    '<Data Name=\"securityIndicatorName\">' SecurityIndicatorName '</Data>' *\n    '<Data Name=\"result\">' Result '</Data>' *\n    '<Data Name=\"score\">' Score '</Data>' *\n    '<Data Name=\"forestName\">' ForestName '</Data>' *\n    '<Data Name=\"domains\">' Domains '</Data>' *\n    '<Data Name=\"severity\">' Severity '</Data>' *\n    '<Data Name=\"weight\">' Weight '</Data>' *\n    '<Data Name=\"securityFrameworkTags\">' SecurityFrameworkTags '</Data>' *\n    '<Data Name=\"securityIndicatorDescription\">' SecurityIndicatorDescription '</Data>'\t*\n    '<Data Name=\"likelihoodOfCompromise\">' LikelihoodOfCompromise '</Data>'\t*\n    '<Data Name=\"resultMessage\">' ResultMessage '</Data>' *\n    '<Data Name=\"numberOfResults\">' NumberOfResults '</Data>' *\n    '<Data Name=\"remediation\">' Remediation '</Data>' *\n    '<Data Name=\"schedule\">' Schedule '</Data>'\n    *\n| parse DSPData with \n    *\n    '<Data Name=\"targets\">' Targets '</Data>'\n    * \n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend SecurityFrameworkTagsCsv = replace(@'Mitre:', @'', tostring(SecurityFrameworkTagsCsv))\n| extend SecurityFrameworkTags = replace(@'Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend GenerationTimeTags = tostring(DSPData)\n",
+                "query": "SecurityEvents\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| parse EventData with \n    '<EventData ' * '>' DSPData '</EventData>'\n| parse DSPData with \n    *\n    '<Data Name=\"firstFound\">' FirstFound '</Data>'\n    * \n| parse DSPData with \n    *\n    '<Data Name=\"generationTime\">' GenerationTime '</Data>'\t*\n    '<Data Name=\"securityIndicatorName\">' SecurityIndicatorName '</Data>' *\n    '<Data Name=\"result\">' Result '</Data>' *\n    '<Data Name=\"score\">' Score '</Data>' *\n    '<Data Name=\"forestName\">' ForestName '</Data>' *\n    '<Data Name=\"domains\">' Domains '</Data>' *\n    '<Data Name=\"severity\">' Severity '</Data>' *\n    '<Data Name=\"weight\">' Weight '</Data>' *\n    '<Data Name=\"securityFrameworkTags\">' SecurityFrameworkTags '</Data>' *\n    '<Data Name=\"securityIndicatorDescription\">' SecurityIndicatorDescription '</Data>'\t*\n    '<Data Name=\"likelihoodOfCompromise\">' LikelihoodOfCompromise '</Data>'\t*\n    '<Data Name=\"resultMessage\">' ResultMessage '</Data>' *\n    '<Data Name=\"numberOfResults\">' NumberOfResults '</Data>' *\n    '<Data Name=\"remediation\">' Remediation '</Data>' *\n    '<Data Name=\"schedule\">' Schedule '</Data>'\n    *\n| parse DSPData with \n    *\n    '<Data Name=\"targets\">' Targets '</Data>'\n    * \n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend SecurityFrameworkTagsCsv = replace(@'Mitre:', @'', tostring(SecurityFrameworkTagsCsv))\n| extend SecurityFrameworkTags = replace(@'Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend GenerationTimeTags = tostring(DSPData)\n",
                 "functionParameters": "",
                 "version": 2,
                 "tags": [
@@ -551,9 +551,7 @@
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
-              "dependsOn": [
-                "[variables('parserObject1')._parserId1]"
-              ],
+              "dependsOn": ["[variables('parserObject1')._parserId1]"],
               "properties": {
                 "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'dsp_parser')]",
                 "contentId": "[variables('parserObject1').parserContentId1]",
@@ -591,7 +589,7 @@
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2022-10-01",
+      "apiVersion": "2025-07-01",
       "name": "[variables('parserObject1')._parserName1]",
       "location": "[parameters('workspace-location')]",
       "properties": {
@@ -599,7 +597,7 @@
         "displayName": "Parser for dsp_parser",
         "category": "Microsoft Sentinel Parser",
         "functionAlias": "dsp_parser",
-        "query": "SecurityEvent\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| parse EventData with \n    '<EventData ' * '>' DSPData '</EventData>'\n| parse DSPData with \n    *\n    '<Data Name=\"firstFound\">' FirstFound '</Data>'\n    * \n| parse DSPData with \n    *\n    '<Data Name=\"generationTime\">' GenerationTime '</Data>'\t*\n    '<Data Name=\"securityIndicatorName\">' SecurityIndicatorName '</Data>' *\n    '<Data Name=\"result\">' Result '</Data>' *\n    '<Data Name=\"score\">' Score '</Data>' *\n    '<Data Name=\"forestName\">' ForestName '</Data>' *\n    '<Data Name=\"domains\">' Domains '</Data>' *\n    '<Data Name=\"severity\">' Severity '</Data>' *\n    '<Data Name=\"weight\">' Weight '</Data>' *\n    '<Data Name=\"securityFrameworkTags\">' SecurityFrameworkTags '</Data>' *\n    '<Data Name=\"securityIndicatorDescription\">' SecurityIndicatorDescription '</Data>'\t*\n    '<Data Name=\"likelihoodOfCompromise\">' LikelihoodOfCompromise '</Data>'\t*\n    '<Data Name=\"resultMessage\">' ResultMessage '</Data>' *\n    '<Data Name=\"numberOfResults\">' NumberOfResults '</Data>' *\n    '<Data Name=\"remediation\">' Remediation '</Data>' *\n    '<Data Name=\"schedule\">' Schedule '</Data>'\n    *\n| parse DSPData with \n    *\n    '<Data Name=\"targets\">' Targets '</Data>'\n    * \n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend SecurityFrameworkTagsCsv = replace(@'Mitre:', @'', tostring(SecurityFrameworkTagsCsv))\n| extend SecurityFrameworkTags = replace(@'Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend GenerationTimeTags = tostring(DSPData)\n",
+        "query": "SecurityEvents\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| parse EventData with \n    '<EventData ' * '>' DSPData '</EventData>'\n| parse DSPData with \n    *\n    '<Data Name=\"firstFound\">' FirstFound '</Data>'\n    * \n| parse DSPData with \n    *\n    '<Data Name=\"generationTime\">' GenerationTime '</Data>'\t*\n    '<Data Name=\"securityIndicatorName\">' SecurityIndicatorName '</Data>' *\n    '<Data Name=\"result\">' Result '</Data>' *\n    '<Data Name=\"score\">' Score '</Data>' *\n    '<Data Name=\"forestName\">' ForestName '</Data>' *\n    '<Data Name=\"domains\">' Domains '</Data>' *\n    '<Data Name=\"severity\">' Severity '</Data>' *\n    '<Data Name=\"weight\">' Weight '</Data>' *\n    '<Data Name=\"securityFrameworkTags\">' SecurityFrameworkTags '</Data>' *\n    '<Data Name=\"securityIndicatorDescription\">' SecurityIndicatorDescription '</Data>'\t*\n    '<Data Name=\"likelihoodOfCompromise\">' LikelihoodOfCompromise '</Data>'\t*\n    '<Data Name=\"resultMessage\">' ResultMessage '</Data>' *\n    '<Data Name=\"numberOfResults\">' NumberOfResults '</Data>' *\n    '<Data Name=\"remediation\">' Remediation '</Data>' *\n    '<Data Name=\"schedule\">' Schedule '</Data>'\n    *\n| parse DSPData with \n    *\n    '<Data Name=\"targets\">' Targets '</Data>'\n    * \n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend SecurityFrameworkTagsCsv = replace(@'Mitre:', @'', tostring(SecurityFrameworkTagsCsv))\n| extend SecurityFrameworkTags = replace(@'Mitre:', @'', tostring(SecurityFrameworkTags))\n| extend GenerationTimeTags = tostring(DSPData)\n",
         "functionParameters": "",
         "version": 2,
         "tags": [
@@ -615,9 +613,7 @@
       "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
-      "dependsOn": [
-        "[variables('parserObject1')._parserId1]"
-      ],
+      "dependsOn": ["[variables('parserObject1')._parserId1]"],
       "properties": {
         "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'dsp_parser')]",
         "contentId": "[variables('parserObject1').parserContentId1]",
@@ -647,7 +643,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSP_EvidenceOfMimikatzDCShadowAttack_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "SemperisDSP_EvidenceOfMimikatzDCShadowAttack_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -675,31 +671,25 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "DefenseEvasion"
-                ],
-                "techniques": [
-                  "T1207"
-                ],
+                "tactics": ["DefenseEvasion"],
+                "techniques": ["T1207"],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -753,7 +743,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSP_KerberoskrbtgtAccount_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "SemperisDSP_KerberoskrbtgtAccount_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -781,34 +771,26 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "subTechniques": [
-                  "T1558.001"
-                ],
-                "techniques": [
-                  "T1558"
-                ],
+                "tactics": ["CredentialAccess"],
+                "subTechniques": ["T1558.001"],
+                "techniques": ["T1558"],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -862,7 +844,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSP_RecentsIDHistoryChangesOnADObjects_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "SemperisDSP_RecentsIDHistoryChangesOnADObjects_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -890,32 +872,25 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "PrivilegeEscalation",
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1098"
-                ],
+                "tactics": ["PrivilegeEscalation", "Persistence"],
+                "techniques": ["T1098"],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -969,7 +944,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSP_WellKnownPrivilegedSIDsInsIDHistory_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "SemperisDSP_WellKnownPrivilegedSIDsInsIDHistory_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -997,32 +972,25 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "PrivilegeEscalation",
-                  "DefenseEvasion"
-                ],
-                "techniques": [
-                  "T1134"
-                ],
+                "tactics": ["PrivilegeEscalation", "DefenseEvasion"],
+                "techniques": ["T1134"],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -1076,7 +1044,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SemperisDSP_ZerologonVulnerability_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "SemperisDSP_ZerologonVulnerability_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1104,31 +1072,25 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1068"
-                ],
+                "tactics": ["PrivilegeEscalation"],
+                "techniques": ["T1068"],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -1182,7 +1144,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Semperis_DSP_Failed_Logons_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "Semperis_DSP_Failed_Logons_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1210,42 +1172,34 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "InitialAccess",
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1078",
-                  "T1110"
-                ],
+                "tactics": ["InitialAccess", "CredentialAccess"],
+                "techniques": ["T1078", "T1110"],
                 "entityMappings": [
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "HostIP"
+                        "columnName": "HostIP",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "NTDomain",
-                        "columnName": "NTDomain"
+                        "columnName": "NTDomain",
+                        "identifier": "NTDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1306,7 +1260,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Semperis_DSP_Operations_Critical_Notifications__AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "Semperis_DSP_Operations_Critical_Notifications__AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1334,9 +1288,7 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
@@ -1345,37 +1297,33 @@
                   "CredentialAccess",
                   "ResourceDevelopment"
                 ],
-                "techniques": [
-                  "T1133",
-                  "T1110",
-                  "T1584"
-                ],
+                "techniques": ["T1133", "T1110", "T1584"],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "LoginUser"
+                        "columnName": "LoginUser",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "NTDomain",
-                        "columnName": "NTDomain"
+                        "columnName": "NTDomain",
+                        "identifier": "NTDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1436,7 +1384,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Semperis_DSP_RBAC_Changes_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "Semperis_DSP_RBAC_Changes_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1464,46 +1412,38 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "dataTypes": [
-                      "dsp_parser"
-                    ],
+                    "dataTypes": ["dsp_parser"],
                     "connectorId": "SemperisDSP"
                   }
                 ],
-                "tactics": [
-                  "PrivilegeEscalation",
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1548",
-                  "T1098"
-                ],
+                "tactics": ["PrivilegeEscalation", "Persistence"],
+                "techniques": ["T1548", "T1098"],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "LoginUser"
+                        "columnName": "LoginUser",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "NTDomain",
-                        "columnName": "NTDomain"
+                        "columnName": "NTDomain",
+                        "identifier": "NTDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       },
                       {
-                        "identifier": "DnsDomain",
-                        "columnName": "DnsDomain"
+                        "columnName": "DnsDomain",
+                        "identifier": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1564,7 +1504,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Semperis Directory Services Protector data connector with template version 3.0.2",
+        "description": "Semperis Directory Services Protector data connector with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1801,9 +1741,7 @@
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2023-04-01-preview",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId1')]"
-      ],
+      "dependsOn": ["[variables('_dataConnectorId1')]"],
       "location": "[parameters('workspace-location')]",
       "properties": {
         "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -2001,7 +1939,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Semperis Directory Services Protector",
@@ -2102,14 +2040,9 @@
           ]
         },
         "firstPublishDate": "2021-10-18",
-        "providers": [
-          "Semperis"
-        ],
+        "providers": ["Semperis"],
         "categories": {
-          "domains": [
-            "Security - Threat Protection",
-            "Identity"
-          ]
+          "domains": ["Security - Threat Protection", "Identity"]
         }
       },
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
diff --git a/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.yaml b/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.yaml
index 92b86458a21..49f6c8868ad 100644
--- a/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.yaml	
+++ b/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.yaml	
@@ -7,7 +7,7 @@ Category: Microsoft Sentinel Parser
 FunctionName: dsp_parser
 FunctionAlias: dsp_parser
 FunctionQuery: |
-    SecurityEvent
+    SecurityEvents
     | where EventSourceName == "Semperis-DSP-Security"
     | where EventID in ("9211", "9212", "9208")
     | parse EventData with 
diff --git a/Solutions/Semperis Directory Services Protector/ReleaseNotes.md b/Solutions/Semperis Directory Services Protector/ReleaseNotes.md
index 5d58ef1d533..1c17292e2d5 100644
--- a/Solutions/Semperis Directory Services Protector/ReleaseNotes.md	
+++ b/Solutions/Semperis Directory Services Protector/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                             |
-|-------------|--------------------------------|--------------------------------------------------------------------------------|
+|-------------|--------------------------------|--------------------------------------------------------------------------------|   
+|3.0.3|16-03-2026|Updated the main dashboard to have time limits reflecting the period chosen. Added build command script. Fixed workbook tables to reflect AMA.|
 | 3.0.2       | 23-04-2025                     | Updated **Analytical Rule** and **Parser**   |
 | 3.0.1       | 28-03-2025                     | Removed duplicate query and fixed query in **Workbook** SemperisDSPSecurityIndicators.   |
 | 3.0.0       | 18-03-2025                     | Fixed correct function name in **Workbook** SemperisDSPSecurityIndicators.      |
diff --git a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPADChanges.json b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPADChanges.json
index 2c13ad71a2e..5b82306bf9a 100644
--- a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPADChanges.json	
+++ b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPADChanges.json	
@@ -124,7 +124,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "CommonSecurityLog \r\n| where DeviceEventClassID == 'Semperis.DSP.AdChanges'\r\n| extend p1Array = split(AdditionalExtensions,\";\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| parse column_ifexists('DistinguishedName', '') with * \"CN\\\\=\" cnName \",\" *\r\n| extend OriginatingTime=column_ifexists('OriginatingTime', '')\r\n| extend AttributeModificationType=column_ifexists('AttributeModificationType', '')\r\n| extend ClassName=column_ifexists('ClassName', '')\r\n| extend AttributeName=column_ifexists('AttributeName', '')\r\n| where isempty('{Time}') or (todatetime(OriginatingTime) >= todatetime('{Time:startISO}') and todatetime(OriginatingTime) <= todatetime('{Time:endISO}'))\r\n| where isempty('{ChangeType}') or (iif('{ChangeType}' == \"Delete\",indexof(AttributeModificationType,'{ChangeType}') > -1 or indexof(AttributeModificationType,'Remove') > -1,indexof(AttributeModificationType,'{ChangeType}') > -1))\r\n| where isempty('{Class}') or indexof(ClassName,'{Class}') > -1\r\n| where isempty('{AttributeName}') or indexof(AttributeName,'{AttributeName}') > -1\r\n| where isempty('{ObjectChanged}') or indexof(cnName,'{ObjectChanged}') > -1\r\n| project OriginatingTime, AttributeModificationType, AttributeName, cnName, ClassName, column_ifexists('DistinguishedName', ''), column_ifexists('LinkedValueDN', ''), column_ifexists('ObjectModificationType', ''),column_ifexists('OriginatingServer', ''),column_ifexists('OriginatingUserWorkstations', ''),column_ifexists('OriginatingUsers', ''),column_ifexists('PartitionNamingContext', ''),column_ifexists('StringValueFrom', ''),column_ifexists('StringValueTo', '')",
+        "query": "SecurityEvents \r\n| where DeviceEventClassID == 'Semperis.DSP.AdChanges'\r\n| extend p1Array = split(AdditionalExtensions,\";\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| parse column_ifexists('DistinguishedName', '') with * \"CN\\\\=\" cnName \",\" *\r\n| extend OriginatingTime=column_ifexists('OriginatingTime', '')\r\n| extend AttributeModificationType=column_ifexists('AttributeModificationType', '')\r\n| extend ClassName=column_ifexists('ClassName', '')\r\n| extend AttributeName=column_ifexists('AttributeName', '')\r\n| where isempty('{Time}') or (todatetime(OriginatingTime) >= todatetime('{Time:startISO}') and todatetime(OriginatingTime) <= todatetime('{Time:endISO}'))\r\n| where isempty('{ChangeType}') or (iif('{ChangeType}' == \"Delete\",indexof(AttributeModificationType,'{ChangeType}') > -1 or indexof(AttributeModificationType,'Remove') > -1,indexof(AttributeModificationType,'{ChangeType}') > -1))\r\n| where isempty('{Class}') or indexof(ClassName,'{Class}') > -1\r\n| where isempty('{AttributeName}') or indexof(AttributeName,'{AttributeName}') > -1\r\n| where isempty('{ObjectChanged}') or indexof(cnName,'{ObjectChanged}') > -1\r\n| project OriginatingTime, AttributeModificationType, AttributeName, cnName, ClassName, column_ifexists('DistinguishedName', ''), column_ifexists('LinkedValueDN', ''), column_ifexists('ObjectModificationType', ''),column_ifexists('OriginatingServer', ''),column_ifexists('OriginatingUserWorkstations', ''),column_ifexists('OriginatingUsers', ''),column_ifexists('PartitionNamingContext', ''),column_ifexists('StringValueFrom', ''),column_ifexists('StringValueTo', '')",
         "size": 0,
         "title": "Semperis DSP AD Change",
         "timeContext": {
diff --git a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPNotifications.json b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPNotifications.json
index e292f80eb50..4bbe9062c1d 100644
--- a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPNotifications.json	
+++ b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPNotifications.json	
@@ -101,7 +101,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "(SecurityEvent\r\n| where EventSourceName == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\r\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\r\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\r\n| union\r\n(CommonSecurityLog\r\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\r\n| where Activity == 'rule-alert'\r\n| where DeviceProduct == 'Core Directory'\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\r\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \"Informational\", toint(Severity)==3 or toint(Severity)==4, \"Low\", toint(Severity)==5 or toint(Severity)==6, \"Medium\", toint(Severity)==7 or toint(Severity)==8, \"High\", toint(Severity)==9 or toint(Severity)==10, \"Critical\", \"\"))\r\n| where (isempty('{Time}') or (todatetime(TimeCreated) >= todatetime('{Time:startISO}') and todatetime(TimeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(RuleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or Severity == '{Severity}'))\r\n| order by TimeGenerated desc\r\n| project RuleName, Severity, DataSource, ObjectDN, TimeCreated, Operation, Attribute, Value, ChangedBy, Source",
+        "query": "(Events\r\n| where EventSourceName == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\r\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\r\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\r\n| union\r\n(SecurityEvents\r\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\r\n| where Activity == 'rule-alert'\r\n| where DeviceProduct == 'Core Directory'\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\r\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \"Informational\", toint(Severity)==3 or toint(Severity)==4, \"Low\", toint(Severity)==5 or toint(Severity)==6, \"Medium\", toint(Severity)==7 or toint(Severity)==8, \"High\", toint(Severity)==9 or toint(Severity)==10, \"Critical\", \"\"))\r\n| where (isempty('{Time}') or (todatetime(TimeCreated) >= todatetime('{Time:startISO}') and todatetime(TimeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(RuleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or Severity == '{Severity}'))\r\n| order by TimeGenerated desc\r\n| project RuleName, Severity, DataSource, ObjectDN, TimeCreated, Operation, Attribute, Value, ChangedBy, Source",
         "size": 0,
         "title": "Notifications",
         "queryType": 0,
diff --git a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPQuickviewDashboard.json b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPQuickviewDashboard.json
index 597e3947211..c0d39603a83 100644
--- a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPQuickviewDashboard.json	
+++ b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPQuickviewDashboard.json	
@@ -1,13 +1,90 @@
 {
   "version": "Notebook/1.0",
   "items": [
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "83787f1b-6573-47c6-8def-36bceb9a8afe",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "label": "Time Range",
+            "type": 4,
+            "description": " Specify the time range on which to query the data",
+            "isRequired": true,
+            "value": {
+              "durationMs": 604800000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 300000
+                },
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 14400000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2419200000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 0"
+    },
     {
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "let day_names =dynamic([\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"]);\nlet averageData = view() {  CommonSecurityLog \n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| where TimeGenerated > datetime(2000-01-01)\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\"Average Daily Change\"\n| order by Day asc};\nlet weeklyData = view() {  CommonSecurityLog \n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| where TimeGenerated > startofweek(now())\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\"Daily Change\"\n| order by Day asc };\nunion withsource=TableName averageData,weeklyData\n| order by Day asc, SortData asc\n| project Average_Count,Day,TableName,SortData,Days=tostring(day_names[indexof('00010203040506', format_timespan(Day,'dd'))/2])\n| render barchart with (kind=unstacked)\n\n",
+        "query": "let day_names =dynamic([\"Sunday\",\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\"]);\nlet averageData = view() {  Events \n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| where TimeGenerated > datetime(2000-01-01)\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\"Average Daily Change\"\n| order by Day asc};\nlet weeklyData = view() {  Events \n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| where TimeGenerated > startofweek(now())\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize Count=count() by Year=getyear(TimeGenerated), Month=monthofyear(TimeGenerated), Day=dayofmonth(TimeGenerated)\n| summarize Average_Count=toint(avg(Count)) by Day=dayofweek(make_datetime(Year,Month,Day)), SortData=\"Daily Change\"\n| order by Day asc };\nunion withsource=TableName averageData,weeklyData\n| order by Day asc, SortData asc\n| project Average_Count,Day,TableName,SortData,Days=tostring(day_names[indexof('00010203040506', format_timespan(Day,'dd'))/2])\n| render barchart with (kind=unstacked)\n\n",
         "size": 0,
         "title": "Weekly Active Directory Change Count",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "chartSettings": {
@@ -49,9 +126,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20000\n| sort by TimeGenerated desc \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details = column_ifexists('details', '')\n| parse details with * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \":\" * \" Target\" *\n| extend host = tostring(HostIP)\n| project TimeGenerated, TrusteeName, HostIP\n| order by TimeGenerated desc\n| top 10 by TimeGenerated",
+        "query": "Events\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20000\n| sort by TimeGenerated desc \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details = column_ifexists('details', '')\n| parse details with * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \":\" * \" Target\" *\n| extend host = tostring(HostIP)\n| project TimeGenerated, TrusteeName, HostIP\n| order by TimeGenerated desc\n| top 10 by TimeGenerated",
         "size": 1,
         "title": "Successful Logons",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
@@ -73,9 +151,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-Operation-Log' and ( EventID == 20000 or EventID == 20002 )\n| sort by TimeGenerated desc \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details = column_ifexists('details', ''), accessGrated = column_ifexists('accessGrated', '')\n| parse details with * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \":\" * \" Target\" *\n| extend host = tostring(HostIP)\n| where isnotempty(accessGrated)\n| summarize Count=count() by accessGrated\n",
+        "query": "Events\n| where EventSourceName == 'Semperis-Operation-Log' and ( EventID == 20000 or EventID == 20002 )\n| sort by TimeGenerated desc \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details = column_ifexists('details', ''), accessGrated = column_ifexists('accessGrated', '')\n| parse details with * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \":\" * \" Target\" *\n| extend host = tostring(HostIP)\n| where isnotempty(accessGrated)\n| summarize Count=count() by accessGrated\n",
         "size": 1,
         "title": "DSP Logins",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "piechart",
@@ -106,9 +185,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "(SecurityEvent\r\n| where EventSourceName == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\r\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\r\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\r\n| union\r\n(CommonSecurityLog \r\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\r\n| where DeviceProduct == 'Core Directory'\r\n| where Activity == 'rule-alert'\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\r\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \"Informational\", toint(Severity)==3 or toint(Severity)==4, \"Low\", toint(Severity)==5 or toint(Severity)==6, \"Medium\", toint(Severity)==7 or toint(Severity)==8, \"High\", toint(Severity)==9 or toint(Severity)==10, \"Critical\", \"\"))\r\n| order by TimeGenerated desc\r\n| project RuleName, Severity, Operation, Attribute, Value, ChangedBy, Source\r\n",
+        "query": "(Events\r\n| where EventSourceName == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Name=column_ifexists(tostring('@Name'), ''), columnValue=column_ifexists('#text', '')\r\n| evaluate pivot(Name, any(columnValue), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\r\n| extend RuleName=tostring(column_ifexists('ruleName', '')), Severity=tostring(column_ifexists('severity', '')), DataSource=tostring(column_ifexists('dataSource', '')), ObjectDN=tostring(column_ifexists('objectDN', '')), TimeCreated=tostring(column_ifexists('timeCreated', '')), Operation=tostring(column_ifexists('fullOperation', '')), Attribute=tostring(column_ifexists('attributeName', '')), Value=tostring(column_ifexists('attributeValue', '')), ChangedBy=tostring(column_ifexists('changedBy', '')), Source=tostring(column_ifexists('Computer', '')))\r\n| union\r\n(SecurityEvents \r\n| extend Activity=column_ifexists('Activity', ''), DeviceProduct=column_ifexists('DeviceProduct', '')\r\n| where DeviceProduct == 'Core Directory'\r\n| where Activity == 'rule-alert'\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\r\n| extend RuleName=column_ifexists('ruleName', ''), Severity=column_ifexists('severity', ''), DataSource=column_ifexists('dataSources', ''), ObjectDN=column_ifexists('subjectId', ''), TimeCreated=column_ifexists('alertCreated', ''), Operation=column_ifexists('operation', ''), Attribute=column_ifexists('attribute', ''), Value=column_ifexists('value', ''), ChangedBy=column_ifexists('changedBy', ''), Source=column_ifexists('alertSource', '')\r\n| extend Severity = case(toint(Severity) == 1 or toint(Severity) == 2, \"Informational\", toint(Severity)==3 or toint(Severity)==4, \"Low\", toint(Severity)==5 or toint(Severity)==6, \"Medium\", toint(Severity)==7 or toint(Severity)==8, \"High\", toint(Severity)==9 or toint(Severity)==10, \"Critical\", \"\"))\r\n| order by TimeGenerated desc\r\n| project RuleName, Severity, Operation, Attribute, Value, ChangedBy, Source\r\n",
         "size": 0,
         "title": "Notifications",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "table",
@@ -136,9 +216,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20012\n| sort by TimeGenerated desc\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details=column_ifexists(tostring('details'), '')\n| parse details with \"Occured at (UTC): \" OccurredAt \"Session ID: \" SessionID \"Trustee Name: \" TrusteeName \"Correlation ID: \" CorrelationID \"Source: \" Source \"WebSite Target: \" WebSiteTarget \"Product: \" Product \"Component: \" Component \"AD Information: \" ADInformation \"Object GUID: \" ObjectGUID \"Attribute: \" Attribute \"Distinguished Name: \" DistinguishedName \"Additional Information: \"AdditionalInformation \"Operation Detail: \" OperationDetail \"operationName: \" operationName \"trustee: \" trustee \"personas: \" personas \"Status: \" status \"Granted: \" Granted \"Result: \" Result\n| where isnotempty(operationName)\n| extend _AccessGranted = iif(operationName contains \"CreateRbacIdentity\", \"Added\", \"Removed\")\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", trustee, tostring(substring(trustee,1,strlen(trustee))))\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", _Identity, replace_string(_Identity,\"'\",\"\"))\n| extend add_personas = replace_string(replace_string(replace_string(personas,\"{ Name = \",\"\"),\" }\",\"\"),\";\",\",\")\n| extend remove_personas = replace_string(personas,\";\",\",\")\n| extend grid_personas = iif(operationName contains \"CreateRbacIdentity\", add_personas, remove_personas)\n| extend date_to_sort = format_datetime(TimeGenerated,\"yyyy-mm-dd   HH:mm:ss\")\n| order by date_to_sort desc\n| project TrusteeName, _Identity, _AccessGranted, grid_personas, TimeGenerated\n\n\n",
+        "query": "Events\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20012\n| sort by TimeGenerated desc\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend details=column_ifexists(tostring('details'), '')\n| parse details with \"Occured at (UTC): \" OccurredAt \"Session ID: \" SessionID \"Trustee Name: \" TrusteeName \"Correlation ID: \" CorrelationID \"Source: \" Source \"WebSite Target: \" WebSiteTarget \"Product: \" Product \"Component: \" Component \"AD Information: \" ADInformation \"Object GUID: \" ObjectGUID \"Attribute: \" Attribute \"Distinguished Name: \" DistinguishedName \"Additional Information: \"AdditionalInformation \"Operation Detail: \" OperationDetail \"operationName: \" operationName \"trustee: \" trustee \"personas: \" personas \"Status: \" status \"Granted: \" Granted \"Result: \" Result\n| where isnotempty(operationName)\n| extend _AccessGranted = iif(operationName contains \"CreateRbacIdentity\", \"Added\", \"Removed\")\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", trustee, tostring(substring(trustee,1,strlen(trustee))))\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", _Identity, replace_string(_Identity,\"'\",\"\"))\n| extend add_personas = replace_string(replace_string(replace_string(personas,\"{ Name = \",\"\"),\" }\",\"\"),\";\",\",\")\n| extend remove_personas = replace_string(personas,\";\",\",\")\n| extend grid_personas = iif(operationName contains \"CreateRbacIdentity\", add_personas, remove_personas)\n| extend date_to_sort = format_datetime(TimeGenerated,\"yyyy-mm-dd   HH:mm:ss\")\n| order by date_to_sort desc\n| project TrusteeName, _Identity, _AccessGranted, grid_personas, TimeGenerated\n\n\n",
         "size": 1,
         "title": "Role Based Access Control Changes",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "table",
@@ -185,9 +266,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "CommonSecurityLog\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity)\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize ChangedCount = count() by tostring(OriginatingUsers)\n| project replace_string(OriginatingUsers,'\\\\\\\\','/'), ChangedCount, OriginatingUsers, \"Details\"\n| order by ChangedCount desc\n| top 5 by ChangedCount",
+        "query": "Events\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity)\n| where isnotnull(OriginatingUsers) and OriginatingUsers != \"\"\n| summarize ChangedCount = count() by tostring(OriginatingUsers)\n| project replace_string(OriginatingUsers,'\\\\\\\\','/'), ChangedCount, OriginatingUsers, \"Details\"\n| order by ChangedCount desc\n| top 5 by ChangedCount",
         "size": 1,
         "title": "Top 5 Identities Making Changes",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "table",
@@ -263,9 +345,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "CommonSecurityLog\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| extend DistinguishedName = column_ifexists('DistinguishedName', '')\n| where isnotempty(DistinguishedName)\n| parse DistinguishedName with * \"CN=\" cnName \",\" *\n| parse DistinguishedName with * \"DC=\" dcName \",\" *\n| where ClassName != \"dnsNode\"\n| summarize ChangedCount=count() by cnName\n| project cnName, ChangedCount, \"Details\"\n| order by ChangedCount desc\n| top 5 by ChangedCount\n",
+        "query": "Events\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| extend DistinguishedName = column_ifexists('DistinguishedName', '')\n| where isnotempty(DistinguishedName)\n| parse DistinguishedName with * \"CN=\" cnName \",\" *\n| parse DistinguishedName with * \"DC=\" dcName \",\" *\n| where ClassName != \"dnsNode\"\n| summarize ChangedCount=count() by cnName\n| project cnName, ChangedCount, \"Details\"\n| order by ChangedCount desc\n| top 5 by ChangedCount\n",
         "size": 3,
         "title": "Top 5 Objects Changed",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
@@ -312,9 +395,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-DSP-Notifications' \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Key1=tostring(column_ifexists('@Name', '')), Value=column_ifexists('#text', '')\n| evaluate pivot(Key1, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend fullOperation=column_ifexists('fullOperation', '')\n| summarize Count=count() by tostring(fullOperation)\n\n",
+        "query": "Events\n| where EventSourceName == 'Semperis-DSP-Notifications' \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Key1=tostring(column_ifexists('@Name', '')), Value=column_ifexists('#text', '')\n| evaluate pivot(Key1, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend fullOperation=column_ifexists('fullOperation', '')\n| summarize Count=count() by tostring(fullOperation)\n\n",
         "size": 1,
         "title": "AD Change Types",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
@@ -349,9 +433,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "CommonSecurityLog\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| parse DistinguishedName with * \"CN\\\\=\" cnName \",\" *\n| parse DistinguishedName with * \"DC\\\\=\" dcName \",\" *\n| where ClassName == 'group'\n| project AttributeModificationType,cnName,OriginatingTime,replace_string(OriginatingUsers,\"\\\\\\\\\",\"\\\\\"),StringValueFrom,StringValueTo\n",
+        "query": "SecurityEvents\n| extend p1Array = split(AdditionalExtensions,\";\")\n| mv-expand bagexpansion=array p1Array\n| evaluate bag_unpack(p1Array)\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\n| evaluate pivot(Name, any(Value), TimeGenerated, TenantId, DeviceVendor, DeviceProduct, DeviceVersion, DeviceEventClassID, Activity, LogSeverity, OriginalLogSeverity, DeviceAction)\n| parse DistinguishedName with * \"CN\\\\=\" cnName \",\" *\n| parse DistinguishedName with * \"DC\\\\=\" dcName \",\" *\n| where ClassName == 'group'\n| project AttributeModificationType,cnName,OriginatingTime,replace_string(OriginatingUsers,\"\\\\\\\\\",\"\\\\\"),StringValueFrom,StringValueTo\n",
         "size": 0,
         "title": "Builtin Group Changes",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "gridSettings": {
@@ -412,9 +497,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityIndicatorName=column_ifexists(tostring('securityIndicatorName'), '')\n| extend isProblem = iif(result == \"Failed\", true, false)\n| where isnotnull(numberOfResults) and isProblem == true\n| order by tostring(securityIndicatorName)\n| summarize Count=count() by tostring(securityIndicatorName)\n| top 5 by Count\n\n",
+        "query": "SecurityEvents\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityIndicatorName=column_ifexists(tostring('securityIndicatorName'), '')\n| extend isProblem = iif(result == \"Failed\", true, false)\n| where isnotnull(numberOfResults) and isProblem == true\n| order by tostring(securityIndicatorName)\n| summarize Count=count() by tostring(securityIndicatorName)\n| top 5 by Count\n\n",
         "size": 1,
         "title": "Top 5 Failed Security Indicators",
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "piechart",
@@ -422,9 +508,7 @@
           "rowLimit": 10000
         },
         "chartSettings": {
-          "yAxis": [
-            "Count"
-          ],
+          "yAxis": ["Count"],
           "showLegend": true
         }
       },
@@ -438,12 +522,10 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "SecurityEvent\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityFrameworkTags=column_ifexists(tostring('securityFrameworkTags'), '')\n| extend isProblem = iif(result == \"Failed\", true, false)\n| where isnotnull(numberOfResults) and isProblem == true\n| summarize Count=count() by tostring(securityFrameworkTags)\n\n",
+        "query": "SecurityEvents\n| where EventSourceName == \"Semperis-DSP-Security\"\n| where EventID in (\"9211\", \"9212\", \"9208\")\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend result=column_ifexists(tostring('result'), ''), numberOfResults=column_ifexists(tostring('numberOfResults'), ''), securityFrameworkTags=column_ifexists(tostring('securityFrameworkTags'), '')\n| extend isProblem = iif(result == \"Failed\", true, false)\n| where isnotnull(numberOfResults) and isProblem == true\n| summarize Count=count() by tostring(securityFrameworkTags)\n\n",
         "size": 0,
         "title": "Amount of Generated Events per Category",
-        "timeContext": {
-          "durationMs": 14400000
-        },
+        "timeContextFromParameter": "TimeRange",
         "queryType": 0,
         "resourceType": "microsoft.operationalinsights/workspaces",
         "visualization": "categoricalbar",
@@ -451,19 +533,19 @@
           "rowLimit": 10000
         },
         "chartSettings": {
-          "yAxis": [
-            "Count"
-          ],
+          "yAxis": ["Count"],
           "showLegend": true
         }
       },
       "name": "query - 2"
     }
   ],
+  "fallbackResourceIds": [
+    "/subscriptions/20d762c7-7b9b-41b2-ab45-62d7fa96ddbe/resourcegroups/Semperis-Testing-RG"
+  ],
   "styleSettings": {
     "paddingStyle": "wide",
     "spacingStyle": "wide"
   },
-  "fromTemplateId": "sentinel-SemperisDSPQuickviewDashboard",
   "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
\ No newline at end of file
+}
diff --git a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPSecurityIndicators.json b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPSecurityIndicators.json
index 50f51e91728..71d9510e799 100644
--- a/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPSecurityIndicators.json	
+++ b/Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPSecurityIndicators.json	
@@ -94,11 +94,9 @@
             "multiSelect": true,
             "quote": "'",
             "delimiter": ",",
-            "query": "(dsp_parser\r\n| where isnotempty(SecurityFrameworkTags))\r\n| union (CommonSecurityLog\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\r\n| extend SecurityIndicatorName = column_ifexists('Name', '')\r\n| where isnotempty(SecurityIndicatorName)\r\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\r\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags)))| mv-expand bagexpansion=array parse_csv(SecurityFrameworkTagsCsv) to typeof(string)\r\n| summarize Count = count() by SecurityFrameworkTagsCsv\r\n| order by Count desc, SecurityFrameworkTagsCsv asc\r\n| project Value = SecurityFrameworkTagsCsv, Label = strcat(SecurityFrameworkTagsCsv)",
+            "query": "(dsp_parser\r\n| where isnotempty(SecurityFrameworkTags))\r\n| union (SecurityEvents\r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\r\n| extend SecurityIndicatorName = column_ifexists('Name', '')\r\n| where isnotempty(SecurityIndicatorName)\r\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\r\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags)))| mv-expand bagexpansion=array parse_csv(SecurityFrameworkTagsCsv) to typeof(string)\r\n| summarize Count = count() by SecurityFrameworkTagsCsv\r\n| order by Count desc, SecurityFrameworkTagsCsv asc\r\n| project Value = SecurityFrameworkTagsCsv, Label = strcat(SecurityFrameworkTagsCsv)",
             "typeSettings": {
-              "additionalResourceOptions": [
-                "value::all"
-              ],
+              "additionalResourceOptions": ["value::all"],
               "selectAllValue": "",
               "showDefault": false
             },
@@ -109,9 +107,7 @@
             "defaultValue": "value::all",
             "queryType": 0,
             "resourceType": "microsoft.operationalinsights/workspaces",
-            "value": [
-              "value::all"
-            ]
+            "value": ["value::all"]
           },
           {
             "id": "cf84c455-c1b9-4785-a592-54834be54097",
@@ -122,14 +118,10 @@
             "multiSelect": true,
             "quote": "'",
             "delimiter": ",",
-            "query": "(dsp_parser\r\n| where isnotempty(Result))\r\n| union (CommonSecurityLog | extend p1Array = split(AdditionalExtensions,\"|\")| mv-expand bagexpansion=array p1Array| evaluate bag_unpack(p1Array)| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)| evaluate pivot(Name, any(Value))| extend SecurityIndicatorName = column_ifexists('Name', '')| where isnotempty(SecurityIndicatorName)| extend Result = \"Attack detected\")| summarize Count = count() by tostring(Result)\r\n| order by Count desc, Result asc\r\n| project Value = Result, Label = strcat(Result)",
-            "value": [
-              "value::all"
-            ],
+            "query": "(dsp_parser\r\n| where isnotempty(Result))\r\n| union (SecurityEvents | extend p1Array = split(AdditionalExtensions,\"|\")| mv-expand bagexpansion=array p1Array| evaluate bag_unpack(p1Array)| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)| evaluate pivot(Name, any(Value))| extend SecurityIndicatorName = column_ifexists('Name', '')| where isnotempty(SecurityIndicatorName)| extend Result = \"Attack detected\")| summarize Count = count() by tostring(Result)\r\n| order by Count desc, Result asc\r\n| project Value = Result, Label = strcat(Result)",
+            "value": ["value::all"],
             "typeSettings": {
-              "additionalResourceOptions": [
-                "value::all"
-              ],
+              "additionalResourceOptions": ["value::all"],
               "showDefault": false
             },
             "timeContext": {
@@ -156,7 +148,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "(dsp_parser\r\n| where isnotempty(SecurityFrameworkTags) \r\n| extend Result = Result\r\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\r\n| extend Targets = iff(isempty(Targets), 'AD', Targets))\r\n| union \r\n(CommonSecurityLog \r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\r\n| extend SecurityIndicatorName = column_ifexists('Name', '')\r\n| where isnotempty(SecurityIndicatorName)\r\n| extend Targets = \"AD\"\r\n| extend Severity = column_ifexists('LogSeverity', '')\r\n| extend Score = column_ifexists('PercentageScore', '0')\r\n| extend FirstFound = column_ifexists('Timestamp', '')\r\n| extend Result = \"Attack detected\"\r\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\r\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\r\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)) \r\n| where Result in ({Status})\r\n| extend MitreFramework = pack_array({MitreFramework})\r\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\r\n| extend FilterIntersectionCount = array_length(FilterIntersection)\r\n| where FilterIntersectionCount > 0\r\n| summarize Count = count() by tostring(SecurityIndicatorName), tostring(Targets), tostring(Severity), tostring(Score), tostring(FirstFound), tostring(Result), tostring(SecurityFrameworkTags)\r\n| order by Count",
+              "query": "(dsp_parser\r\n| where isnotempty(SecurityFrameworkTags) \r\n| extend Result = Result\r\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)\r\n| extend Targets = iff(isempty(Targets), 'AD', Targets))\r\n| union \r\n(SecurityEvents \r\n| extend p1Array = split(AdditionalExtensions,\"|\")\r\n| mv-expand bagexpansion=array p1Array\r\n| evaluate bag_unpack(p1Array)\r\n| extend Name=tostring(split(p1Array,\"=\")[0]),Value=substring(p1Array,indexof(p1Array,\"=\")+1)\r\n| extend Value=replace_string(Value, \";\", \" \")\r\n| evaluate pivot(Name, any(Value), TimeGenerated, LogSeverity)\r\n| extend SecurityIndicatorName = column_ifexists('Name', '')\r\n| where isnotempty(SecurityIndicatorName)\r\n| extend Targets = \"AD\"\r\n| extend Severity = column_ifexists('LogSeverity', '')\r\n| extend Score = column_ifexists('PercentageScore', '0')\r\n| extend FirstFound = column_ifexists('Timestamp', '')\r\n| extend Result = \"Attack detected\"\r\n| extend SecurityFrameworkTags = column_ifexists('SecurityFrameworkTags', '')\r\n| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags))\r\n| extend SecurityFrameworkTagList = parse_csv(SecurityFrameworkTagsCsv)) \r\n| where Result in ({Status})\r\n| extend MitreFramework = pack_array({MitreFramework})\r\n| extend FilterIntersection = set_intersect(SecurityFrameworkTagList, MitreFramework)\r\n| extend FilterIntersectionCount = array_length(FilterIntersection)\r\n| where FilterIntersectionCount > 0\r\n| summarize Count = count() by tostring(SecurityIndicatorName), tostring(Targets), tostring(Severity), tostring(Score), tostring(FirstFound), tostring(Result), tostring(SecurityFrameworkTags)\r\n| order by Count",
               "size": 0,
               "title": "Indicators Details:",
               "timeContextFromParameter": "TimeRange",
@@ -389,4 +381,4 @@
   ],
   "fromTemplateId": "sentinel-SemperisDSPSecurityIndicators",
   "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
\ No newline at end of file
+}
diff --git a/Solutions/Semperis Directory Services Protector/Workbooks/workbooksMetadata.json b/Solutions/Semperis Directory Services Protector/Workbooks/workbooksMetadata.json
index 032c0817a7d..ee31914b82c 100644
--- a/Solutions/Semperis Directory Services Protector/Workbooks/workbooksMetadata.json	
+++ b/Solutions/Semperis Directory Services Protector/Workbooks/workbooksMetadata.json	
@@ -3,7 +3,7 @@
     "workbookKey": "SemperisDSPADChangesWorkbook",
     "logoFileName": "Semperis.svg",
     "description": "View change data related to the Semperis DSP system.",
-    "dataTypesDependencies": [ "CommonSecurityLog" ],
+    "dataTypesDependencies": [ "SecurityEvents" ],
     "dataConnectorsDependencies": [ "SemperisDSP-connector" ],
     "previewImagesFileNames": [ "adchanges-black.png", "adchanges-white.png" ],
     "version": "1.0.0",
diff --git a/Solutions/Semperis Directory Services Protector/build.ps1 b/Solutions/Semperis Directory Services Protector/build.ps1
new file mode 100644
index 00000000000..55091d0fab5
--- /dev/null
+++ b/Solutions/Semperis Directory Services Protector/build.ps1	
@@ -0,0 +1 @@
+../../Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1
\ No newline at end of file