{
"name": "AzureFirewall-{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "AzureFirewall",
"hidden-title": "Azure Firewall - {Workspace_Name}",
"version": "1.1",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "AzureFirewall"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
},
"1": {
"position": {
"x": 1,
"y": 0,
"colSpan": 15,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - overview</div>\n\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"2": {
"position": {
"x": 16,
"y": 0,
"colSpan": 2,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<img width='50' height='50' src='https://106c4.wpc.azureedge.net/80106C4/Gallery-Prod/cdn/2015-02-24/prod20161101-microsoft-windowsazure-gallery/microsoft.AzureFirewall-Arm.1.0.4/Icons/Large.png'/> ",
"title": "",
"subtitle": ""
}
}
}
}
},
"3": {
"position": {
"x": 0,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Volume",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "7a279309-4d2d-4c29-821e-88bb0e4c660e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Events, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 9,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize count() by Category, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Category",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "e43210b9-219e-4454-a92e-d89ac851c6d3"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event categories, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 0,
"y": 5,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| summarize amount = count() by Resource, ResourceGroup\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ecd5abf3-394c-44e4-8034-8ff96464d8d5"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Firewall per resource group",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 9,
"y": 5,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\" | summarize count() by Category\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Category",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ae80cad7-a26d-4e0a-9603-203e5365d97f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Events, by category",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 9,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - Application rule log statitics</div>\r\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"8": {
"position": {
"x": 0,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "SourceIP",
"type": "String"
},
"yAxis": [
{
"name": "Amount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a7f860b9-cb1c-48a4-9f3a-d67ec9834370"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Unique source IP addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 6,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "URL",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "dc3e7d37-725c-4ad1-9c0c-7d386d962b7b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Allowed URL addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 12,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "URL",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "702f6197-4bd9-404f-b2ec-7d5cfa07636d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Denied URL addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 0,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP, Protocol, URL = FQDN, TargetPortInt, Action\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6a54bcd1-42b4-45fa-b1a9-3465cb7b0589"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Unique source IP addresses",
"PartSubTitle": "",
"GridColumnsWidth": {
"Protocol": "90px",
"SourceIP": "98px",
"TargetPortInt": "102px"
}
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 6,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "URL",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "9ec8a61b-0e04-40be-9b41-139ff2aff5f5"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Allowed URL addresses, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 12,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "URL",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c75ebea2-305d-4e9a-b4c1-06216e50e4d7"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Denied URL addresses, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 0,
"y": 18,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - Network rule log statistics</div>\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"15": {
"position": {
"x": 0,
"y": 19,
"colSpan": 18,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| parse msg_s with Protocol \" request from\" SourceIP \":\" SourcePortInt:int \" to\" TargetIP \":\" TargetPortInt:int *\r\n| parse msg_s with * \". Action: \" Action1a\r\n| parse msg_s with * \" was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from\" SourceIP2 \" to\" TargetIP2 \". Action:\" Action2\r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)\r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)\r\n| summarize count() by Action, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Action",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a61bc484-e9cd-4f0a-b1bc-4020bd406116"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Actions, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"16": {
"position": {
"x": 0,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Action",
"type": "String"
},
"yAxis": [
{
"name": "amount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "29ea3ed2-1d64-492d-82d9-8b36189187c8"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Rule actions",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"17": {
"position": {
"x": 6,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize Count=count() by TargetPort\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TargetPort",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "27824317-7840-48a5-8dc0-3e0d4690f7fc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Target ports",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 12,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f2c4c8ee-2219-4fa4-a88f-32106cafecdc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "DNAT actions",
"PartSubTitle": "",
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"19": {
"position": {
"x": 0,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action , SourceIP\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6ca03d53-d42c-4267-87e9-3930b7e92b95"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Rule actions, by IP addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"20": {
"position": {
"x": 6,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", \r\nProtocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), \r\nNatDestination = case(NatDestination == \"\", \r\n\"N/A\", NatDestination) \r\n| summarize AMOUNT=count() by TargetPort, SourceIP\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a9fbfe30-b16d-44fc-bc24-98bad8a940a1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Analytics",
"PartSubTitle": "Target ports"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"21": {
"position": {
"x": 12,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Amount",
"type": "Int64"
}
],
"splitBy": [
{
"name": "NatDestination",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "1aa875a4-df6b-41e5-9723-b7b78e0568ae"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "DNAT'ed over time",
"PartSubTitle": "",
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination, TimeGenerated\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
}
}
}
}
}
}cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Dashboards/Azure_Firewall.json
1618lines · modepreview
7 years ago