Improve query if column is not present

Solutions/Azure DDoS Protection/Analytic Rules/AttackSourcesPPSThreshold.yaml

@@ -13,10 +13,10 @@ queryFrequency: 2h
 triggerOperator: gt
 triggerThreshold: 0
 query: |
-  AzureDiagnostics 
+  AzureDiagnostics
   | where ResourceType == 'PUBLICIPADDRESSES' and Category == "DDoSMitigationFlowLogs"
   //sample rate of mitigation device 1:1000 so the PPS of the source is estimated to be x1000.
-  | summarize PPS = 1000 * count() by destPublicIpAddress_s, sec = bin(TimeGenerated, 1s), sourcePublicIpAddress_s
+  | summarize PPS = 1000 * count() by destPublicIpAddress_s = column_ifexists("destPublicIpAddress_s", ""), sec = bin(TimeGenerated, 1s), sourcePublicIpAddress_s = column_ifexists("sourcePublicIpAddress_s", "")
   | summarize maxPPS = max(PPS) by destPublicIpAddress_s, sourcePublicIpAddress_s
   | order by destPublicIpAddress_s, maxPPS desc
   | where maxPPS > 10000
@@ -31,4 +31,4 @@ tactics:
   - Impact
 relevantTechniques:
   - T1498
-version: 1.0.1
+version: 1.0.2

Solutions/Azure DDoS Protection/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzDDoS.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Azure DDoS Protection](https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview) Solution for Microsoft Sentinel enables you to easily ingest Azure DDoS Protection Standard logs to Microsoft Sentinel. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\n\n To enable automated response to threats detected, consider deploying the [Remediation-IP Playbook](https://github.com/Azure/Azure-Sentinel/tree/master/MasterPlaybooks/Remediation-IP). \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzDDoS.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20DDoS%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure DDoS Protection](https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview) Solution for Microsoft Sentinel enables you to easily ingest Azure DDoS Protection Standard logs to Microsoft Sentinel. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\n\n To enable automated response to threats detected, consider deploying the [Remediation-IP Playbook](https://github.com/Azure/Azure-Sentinel/tree/master/MasterPlaybooks/Remediation-IP). \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -100,6 +100,20 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
               }
             }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Azure DDoS Protection Workbook",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces."
+                }
+              }
+            ]
           }
         ]
       },