Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
fde110c7da8a1aedb8d63af851d1c8269b3a5810

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Dashboards

Dashboards/AzureNetworkWatcher.json

1881lines · modecode

RawDownload
Update AzureNetworkWatcher.json875c44b
7 years ago
1{
2 "name": "AzureNetworkWatcher_{Workspace_Name}",
3 "type": "Microsoft.Portal/dashboards",
4 "location": "{Dashboard_Location}",
5 "tags": {
6 "dashboardKey": "AzureNetworkWatcherDashboard",
7 "hidden-title": "AzureNetworkWatcher - {Workspace_Name}",
8 "version": "1.1",
9 "workspaceName": "{Workspace_Name}"
10 },
11 "properties": {
12 "lenses": {
13 "0": {
14 "order": 0,
15 "parts": {
16 "0": {
17 "position": {
18 "x": 1,
19 "y": 0,
20 "colSpan": 24,
21 "rowSpan": 1
22 },
23 "metadata": {
24 "inputs": [],
25 "type": "Extension/HubsExtension/PartType/MarkdownPart",
26 "settings": {
27 "content": {
28 "settings": {
29 "content": "<div style='font-size:300%;'>Network Watcher flow</div>",
30 "title": "",
31 "subtitle": ""
32 }
33 }
34 }
35 }
36 },
37 "1": {
38 "position": {
39 "x": 0,
40 "y": 1,
41 "colSpan": 15,
42 "rowSpan": 3
43 },
44 "metadata": {
45 "inputs": [
46 {
47 "name": "ComponentId",
48 "value": {
49 "SubscriptionId": "{Subscription_Id}",
50 "ResourceGroup": "{Resource_Group}",
51 "Name": "{Workspace_Name}",
52 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
53 }
54 },
55 {
56 "name": "Query",
57 "value": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize TotalFlows = count() by TimeGenerated\n"
58 },
59 {
60 "name": "TimeRange",
61 "value": "P1D"
62 },
63 {
64 "name": "Dimensions",
65 "value": {
66 "xAxis": {
67 "name": "TimeGenerated",
68 "type": "DateTime"
69 },
70 "yAxis": [
71 {
72 "name": "TotalFlows",
73 "type": "Int64"
74 }
75 ],
76 "splitBy": [],
77 "aggregation": "Sum"
78 }
79 },
80 {
81 "name": "Version",
82 "value": "1.0"
83 },
84 {
85 "name": "DashboardId",
86 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
87 },
88 {
89 "name": "PartId",
90 "value": "b82b73da-5cc2-4794-bfaa-5c72d586c4a2"
91 },
92 {
93 "name": "PartTitle",
94 "value": "Analytics"
95 },
96 {
97 "name": "PartSubTitle",
98 "value": " "
99 },
100 {
101 "name": "resourceTypeMode",
102 "value": "workspace"
103 },
104 {
105 "name": "ControlType",
106 "value": "AnalyticsChart"
107 },
108 {
109 "name": "SpecificChart",
110 "value": "Line"
111 }
112 ],
113 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
114 "settings": {
115 "content": {
116 "PartTitle": "Traffic flows over time",
117 "PartSubTitle": " "
118 }
119 },
120 "asset": {
121 "idInputName": "ComponentId",
122 "type": "ApplicationInsights"
123 }
124 }
125 },
126 "2": {
127 "position": {
128 "x": 15,
129 "y": 1,
130 "colSpan": 5,
131 "rowSpan": 3
132 },
133 "metadata": {
134 "inputs": [
135 {
136 "name": "ComponentId",
137 "value": {
138 "SubscriptionId": "{Subscription_Id}",
139 "ResourceGroup": "{Resource_Group}",
140 "Name": "{Workspace_Name}",
141 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
142 }
143 },
144 {
145 "name": "Query",
146 "value": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize count() by FlowType_s\r\n"
147 },
148 {
149 "name": "TimeRange",
150 "value": "P1D"
151 },
152 {
153 "name": "Dimensions",
154 "value": {
155 "xAxis": {
156 "name": "FlowType_s",
157 "type": "String"
158 },
159 "yAxis": [
160 {
161 "name": "count_",
162 "type": "Int64"
163 }
164 ],
165 "splitBy": [],
166 "aggregation": "Sum"
167 }
168 },
169 {
170 "name": "Version",
171 "value": "1.0"
172 },
173 {
174 "name": "DashboardId",
175 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
176 },
177 {
178 "name": "PartId",
179 "value": "ff009911-07c7-423f-a21c-9f026ae4dedf"
180 },
181 {
182 "name": "PartTitle",
183 "value": "Analytics"
184 },
185 {
186 "name": "PartSubTitle",
187 "value": " "
188 },
189 {
190 "name": "resourceTypeMode",
191 "value": "workspace"
192 },
193 {
194 "name": "ControlType",
195 "value": "AnalyticsDonut"
196 },
197 {
198 "name": "SpecificChart",
199 "isOptional": true
200 }
201 ],
202 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
203 "settings": {
204 "content": {
205 "PartTitle": "Traffic flow types",
206 "PartSubTitle": " "
207 }
208 },
209 "asset": {
210 "idInputName": "ComponentId",
211 "type": "ApplicationInsights"
212 }
213 }
214 },
215 "3": {
216 "position": {
217 "x": 20,
218 "y": 1,
219 "colSpan": 5,
220 "rowSpan": 3
221 },
222 "metadata": {
223 "inputs": [
224 {
225 "name": "ComponentId",
226 "value": {
227 "SubscriptionId": "{Subscription_Id}",
228 "ResourceGroup": "{Resource_Group}",
229 "Name": "{Workspace_Name}",
230 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
231 }
232 },
233 {
234 "name": "Query",
235 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == \"FlowLog\"\n| summarize count() by FlowDirection = iff(FlowDirection_s == 'I', 'Inbound', 'Outbound')\n"
236 },
237 {
238 "name": "TimeRange",
239 "value": "P1D"
240 },
241 {
242 "name": "Dimensions",
243 "value": {
244 "xAxis": {
245 "name": "FlowDirection",
246 "type": "String"
247 },
248 "yAxis": [
249 {
250 "name": "count_",
251 "type": "Int64"
252 }
253 ],
254 "splitBy": [],
255 "aggregation": "Sum"
256 }
257 },
258 {
259 "name": "Version",
260 "value": "1.0"
261 },
262 {
263 "name": "DashboardId",
264 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
265 },
266 {
267 "name": "PartId",
268 "value": "18e2550a-fe26-4fa1-902a-ed9d37d84cb8"
269 },
270 {
271 "name": "PartTitle",
272 "value": "Analytics"
273 },
274 {
275 "name": "PartSubTitle",
276 "value": " "
277 },
278 {
279 "name": "resourceTypeMode",
280 "value": "workspace"
281 },
282 {
283 "name": "ControlType",
284 "value": "AnalyticsDonut"
285 },
286 {
287 "name": "SpecificChart",
288 "isOptional": true
289 }
290 ],
291 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
292 "settings": {
293 "content": {
294 "PartTitle": "Traffic flow direction",
295 "PartSubTitle": " "
296 }
297 },
298 "asset": {
299 "idInputName": "ComponentId",
300 "type": "ApplicationInsights"
301 }
302 }
303 },
304 "4": {
305 "position": {
306 "x": 0,
307 "y": 4,
308 "colSpan": 25,
309 "rowSpan": 1
310 },
311 "metadata": {
312 "inputs": [],
313 "type": "Extension/HubsExtension/PartType/MarkdownPart",
314 "settings": {
315 "content": {
316 "settings": {
317 "content": "<div style='font-size:300%;'>Malicious actors</div>",
318 "title": "",
319 "subtitle": ""
320 }
321 }
322 }
323 }
324 },
325 "5": {
326 "position": {
327 "x": 0,
328 "y": 5,
329 "colSpan": 11,
330 "rowSpan": 4
331 },
332 "metadata": {
333 "inputs": [
334 {
335 "name": "ComponentId",
336 "value": {
337 "SubscriptionId": "{Subscription_Id}",
338 "ResourceGroup": "{Resource_Group}",
339 "Name": "{Workspace_Name}",
340 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
341 }
342 },
343 {
344 "name": "Query",
345 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by IP = strcat(SrcIP, ' (', CountryOrRegion, ')') | sort by FlowCount desc \n"
346 },
347 {
348 "name": "TimeRange",
349 "value": "P1D"
350 },
351 {
352 "name": "Dimensions",
353 "value": {
354 "xAxis": {
355 "name": "IP",
356 "type": "String"
357 },
358 "yAxis": [
359 {
360 "name": "FlowCount",
361 "type": "Double"
362 }
363 ],
364 "splitBy": [],
365 "aggregation": "Sum"
366 }
367 },
368 {
369 "name": "Version",
370 "value": "1.0"
371 },
372 {
373 "name": "DashboardId",
374 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
375 },
376 {
377 "name": "PartId",
378 "value": "5ddfa31a-b8a9-46d7-b95b-f763f7a88384"
379 },
380 {
381 "name": "PartTitle",
382 "value": "Analytics"
383 },
384 {
385 "name": "PartSubTitle",
386 "value": " "
387 },
388 {
389 "name": "resourceTypeMode",
390 "value": "workspace"
391 },
392 {
393 "name": "ControlType",
394 "value": "AnalyticsChart"
395 },
396 {
397 "name": "SpecificChart",
398 "value": "Bar"
399 }
400 ],
401 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
402 "settings": {
403 "content": {
404 "PartTitle": "Malicious IP address communication",
405 "PartSubTitle": " "
406 }
407 },
408 "asset": {
409 "idInputName": "ComponentId",
410 "type": "ApplicationInsights"
411 }
412 }
413 },
414 "6": {
415 "position": {
416 "x": 11,
417 "y": 5,
418 "colSpan": 6,
419 "rowSpan": 4
420 },
421 "metadata": {
422 "inputs": [
423 {
424 "name": "ComponentId",
425 "value": {
426 "SubscriptionId": "{Subscription_Id}",
427 "ResourceGroup": "{Resource_Group}",
428 "Name": "{Workspace_Name}",
429 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
430 }
431 },
432 {
433 "name": "Query",
434 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by Country = CountryOrRegion | sort by FlowCount desc \n"
435 },
436 {
437 "name": "TimeRange",
438 "value": "P1D"
439 },
440 {
441 "name": "Dimensions",
442 "value": {
443 "xAxis": {
444 "name": "Country",
445 "type": "String"
446 },
447 "yAxis": [
448 {
449 "name": "FlowCount",
450 "type": "Double"
451 }
452 ],
453 "splitBy": [],
454 "aggregation": "Sum"
455 }
456 },
457 {
458 "name": "Version",
459 "value": "1.0"
460 },
461 {
462 "name": "DashboardId",
463 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
464 },
465 {
466 "name": "PartId",
467 "value": "b48fdde3-d479-4c07-8f81-705ee10db294"
468 },
469 {
470 "name": "PartTitle",
471 "value": "Analytics"
472 },
473 {
474 "name": "PartSubTitle",
475 "value": " "
476 },
477 {
478 "name": "resourceTypeMode",
479 "value": "workspace"
480 },
481 {
482 "name": "ControlType",
483 "value": "AnalyticsDonut"
484 },
485 {
486 "name": "SpecificChart",
487 "isOptional": true
488 }
489 ],
490 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
491 "settings": {
492 "content": {
493 "PartTitle": "Traffic country of origin",
494 "PartSubTitle": " "
495 }
496 },
497 "asset": {
498 "idInputName": "ComponentId",
499 "type": "ApplicationInsights"
500 }
501 }
502 },
503 "7": {
504 "position": {
505 "x": 17,
506 "y": 5,
507 "colSpan": 8,
508 "rowSpan": 4
509 },
510 "metadata": {
511 "inputs": [
512 {
513 "name": "ComponentId",
514 "value": {
515 "SubscriptionId": "{Subscription_Id}",
516 "ResourceGroup": "{Resource_Group}",
517 "Name": "{Workspace_Name}",
518 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
519 }
520 },
521 {
522 "name": "Query",
523 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by IPAdress = strcat(SrcIP, ' (', CountryOrRegion, ')') | sort by AllowedInFlows desc \n"
524 },
525 {
526 "name": "TimeRange",
527 "value": "P1D"
528 },
529 {
530 "name": "Version",
531 "value": "1.0"
532 },
533 {
534 "name": "DashboardId",
535 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
536 },
537 {
538 "name": "PartId",
539 "value": "a62a3991-87a7-403d-a462-1e2670e5879a"
540 },
541 {
542 "name": "PartTitle",
543 "value": "Analytics"
544 },
545 {
546 "name": "PartSubTitle",
547 "value": " "
548 },
549 {
550 "name": "resourceTypeMode",
551 "value": "workspace"
552 },
553 {
554 "name": "ControlType",
555 "value": "AnalyticsGrid"
556 },
557 {
558 "name": "Dimensions",
559 "isOptional": true
560 },
561 {
562 "name": "SpecificChart",
563 "isOptional": true
564 }
565 ],
566 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
567 "settings": {
568 "content": {
569 "PartTitle": "Malicious IP address",
570 "PartSubTitle": " "
571 }
572 },
573 "asset": {
574 "idInputName": "ComponentId",
575 "type": "ApplicationInsights"
576 }
577 }
578 },
579 "8": {
580 "position": {
581 "x": 0,
582 "y": 9,
583 "colSpan": 25,
584 "rowSpan": 1
585 },
586 "metadata": {
587 "inputs": [],
588 "type": "Extension/HubsExtension/PartType/MarkdownPart",
589 "settings": {
590 "content": {
591 "settings": {
592 "content": "<div style='font-size:300%;'>Attacked resources</div>",
593 "title": "",
594 "subtitle": ""
595 }
596 }
597 }
598 }
599 },
600 "9": {
601 "position": {
602 "x": 0,
603 "y": 10,
604 "colSpan": 6,
605 "rowSpan": 4
606 },
607 "metadata": {
608 "inputs": [
609 {
610 "name": "ComponentId",
611 "value": {
612 "SubscriptionId": "{Subscription_Id}",
613 "ResourceGroup": "{Resource_Group}",
614 "Name": "{Workspace_Name}",
615 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
616 }
617 },
618 {
619 "name": "Query",
620 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by Computer = strcat(DestIP, ' (', Subscription2, '/', VM2, ')') | sort by AllowedInFlows desc\n"
621 },
622 {
623 "name": "TimeRange",
624 "value": "P1D"
625 },
626 {
627 "name": "Dimensions",
628 "value": {
629 "xAxis": {
630 "name": "Computer",
631 "type": "String"
632 },
633 "yAxis": [
634 {
635 "name": "AllowedInFlows",
636 "type": "Double"
637 }
638 ],
639 "splitBy": [],
640 "aggregation": "Sum"
641 }
642 },
643 {
644 "name": "Version",
645 "value": "1.0"
646 },
647 {
648 "name": "DashboardId",
649 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
650 },
651 {
652 "name": "PartId",
653 "value": "59e92add-51f9-4791-a19a-ad5f6ac5fe4b"
654 },
655 {
656 "name": "PartTitle",
657 "value": "Analytics"
658 },
659 {
660 "name": "PartSubTitle",
661 "value": " "
662 },
663 {
664 "name": "resourceTypeMode",
665 "value": "workspace"
666 },
667 {
668 "name": "ControlType",
669 "value": "AnalyticsDonut"
670 },
671 {
672 "name": "SpecificChart",
673 "isOptional": true
674 }
675 ],
676 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
677 "settings": {
678 "content": {
679 "PartTitle": "Most attacked machines",
680 "PartSubTitle": " "
681 }
682 },
683 "asset": {
684 "idInputName": "ComponentId",
685 "type": "ApplicationInsights"
686 }
687 }
688 },
689 "10": {
690 "position": {
691 "x": 6,
692 "y": 10,
693 "colSpan": 6,
694 "rowSpan": 4
695 },
696 "metadata": {
697 "inputs": [
698 {
699 "name": "ComponentId",
700 "value": {
701 "SubscriptionId": "{Subscription_Id}",
702 "ResourceGroup": "{Resource_Group}",
703 "Name": "{Workspace_Name}",
704 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
705 }
706 },
707 {
708 "name": "Query",
709 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by Subnet = strcat(Subnet2, ' (', Subscription2, ')') | sort by AllowedInFlows desc\n"
710 },
711 {
712 "name": "TimeRange",
713 "value": "P1D"
714 },
715 {
716 "name": "Dimensions",
717 "value": {
718 "xAxis": {
719 "name": "Subnet",
720 "type": "String"
721 },
722 "yAxis": [
723 {
724 "name": "AllowedInFlows",
725 "type": "Double"
726 }
727 ],
728 "splitBy": [],
729 "aggregation": "Sum"
730 }
731 },
732 {
733 "name": "Version",
734 "value": "1.0"
735 },
736 {
737 "name": "DashboardId",
738 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
739 },
740 {
741 "name": "PartId",
742 "value": "538e30b4-8c17-4039-8019-04892c2da5ed"
743 },
744 {
745 "name": "PartTitle",
746 "value": "Analytics"
747 },
748 {
749 "name": "PartSubTitle",
750 "value": " "
751 },
752 {
753 "name": "resourceTypeMode",
754 "value": "workspace"
755 },
756 {
757 "name": "ControlType",
758 "value": "AnalyticsDonut"
759 },
760 {
761 "name": "SpecificChart",
762 "isOptional": true
763 }
764 ],
765 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
766 "settings": {
767 "content": {
768 "PartTitle": "Most attacked subnets",
769 "PartSubTitle": " "
770 }
771 },
772 "asset": {
773 "idInputName": "ComponentId",
774 "type": "ApplicationInsights"
775 }
776 }
777 },
778 "11": {
779 "position": {
780 "x": 12,
781 "y": 10,
782 "colSpan": 13,
783 "rowSpan": 4
784 },
785 "metadata": {
786 "inputs": [
787 {
788 "name": "ComponentId",
789 "value": {
790 "SubscriptionId": "{Subscription_Id}",
791 "ResourceGroup": "{Resource_Group}",
792 "Name": "{Workspace_Name}",
793 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
794 }
795 },
796 {
797 "name": "Query",
798 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by IPAddress=DestIP, VM=VM2, Subnet=Subnet2, Subscription=Subscription2 | sort by AllowedInFlows desc\n"
799 },
800 {
801 "name": "TimeRange",
802 "value": "P1D"
803 },
804 {
805 "name": "Version",
806 "value": "1.0"
807 },
808 {
809 "name": "DashboardId",
810 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
811 },
812 {
813 "name": "PartId",
814 "value": "4bc5fdfb-2955-474c-9647-851e1ebb4177"
815 },
816 {
817 "name": "PartTitle",
818 "value": "Analytics"
819 },
820 {
821 "name": "PartSubTitle",
822 "value": " "
823 },
824 {
825 "name": "resourceTypeMode",
826 "value": "workspace"
827 },
828 {
829 "name": "ControlType",
830 "value": "AnalyticsGrid"
831 },
832 {
833 "name": "Dimensions",
834 "isOptional": true
835 },
836 {
837 "name": "SpecificChart",
838 "isOptional": true
839 }
840 ],
841 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
842 "settings": {
843 "content": {
844 "PartTitle": "Attacked resources",
845 "PartSubTitle": " "
846 }
847 },
848 "asset": {
849 "idInputName": "ComponentId",
850 "type": "ApplicationInsights"
851 }
852 }
853 },
854 "12": {
855 "position": {
856 "x": 0,
857 "y": 14,
858 "colSpan": 25,
859 "rowSpan": 1
860 },
861 "metadata": {
862 "inputs": [],
863 "type": "Extension/HubsExtension/PartType/MarkdownPart",
864 "settings": {
865 "content": {
866 "settings": {
867 "content": "<div style='font-size:300%;'>Malicious traffic target protocols</div>",
868 "title": "",
869 "subtitle": ""
870 }
871 }
872 }
873 }
874 },
875 "13": {
876 "position": {
877 "x": 0,
878 "y": 15,
879 "colSpan": 5,
880 "rowSpan": 3
881 },
882 "metadata": {
883 "inputs": [
884 {
885 "name": "ComponentId",
886 "value": {
887 "SubscriptionId": "{Subscription_Id}",
888 "ResourceGroup": "{Resource_Group}",
889 "Name": "{Workspace_Name}",
890 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
891 }
892 },
893 {
894 "name": "Query",
895 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by L4Protocol_s \n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol , FlowCount\n"
896 },
897 {
898 "name": "TimeRange",
899 "value": "P1D"
900 },
901 {
902 "name": "Dimensions",
903 "value": {
904 "xAxis": {
905 "name": "L4Protocol",
906 "type": "String"
907 },
908 "yAxis": [
909 {
910 "name": "FlowCount",
911 "type": "Double"
912 }
913 ],
914 "splitBy": [],
915 "aggregation": "Sum"
916 }
917 },
918 {
919 "name": "Version",
920 "value": "1.0"
921 },
922 {
923 "name": "DashboardId",
924 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
925 },
926 {
927 "name": "PartId",
928 "value": "c5cc6463-0d75-4309-abe0-5bb70c7aedfe"
929 },
930 {
931 "name": "PartTitle",
932 "value": "Analytics"
933 },
934 {
935 "name": "PartSubTitle",
936 "value": " "
937 },
938 {
939 "name": "resourceTypeMode",
940 "value": "workspace"
941 },
942 {
943 "name": "ControlType",
944 "value": "AnalyticsDonut"
945 },
946 {
947 "name": "SpecificChart",
948 "isOptional": true
949 }
950 ],
951 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
952 "settings": {
953 "content": {
954 "PartTitle": "Malicious traffic protocols",
955 "PartSubTitle": " "
956 }
957 },
958 "asset": {
959 "idInputName": "ComponentId",
960 "type": "ApplicationInsights"
961 }
962 }
963 },
964 "14": {
965 "position": {
966 "x": 5,
967 "y": 15,
968 "colSpan": 5,
969 "rowSpan": 3
970 },
971 "metadata": {
972 "inputs": [
973 {
974 "name": "ComponentId",
975 "value": {
976 "SubscriptionId": "{Subscription_Id}",
977 "ResourceGroup": "{Resource_Group}",
978 "Name": "{Workspace_Name}",
979 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
980 }
981 },
982 {
983 "name": "Query",
984 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by L4Protocol_s | sort by AllowedInFlows desc\n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol, AllowedInFlows\n"
985 },
986 {
987 "name": "TimeRange",
988 "value": "P1D"
989 },
990 {
991 "name": "Dimensions",
992 "value": {
993 "xAxis": {
994 "name": "L4Protocol",
995 "type": "String"
996 },
997 "yAxis": [
998 {
999 "name": "AllowedInFlows",
1000 "type": "Double"
1001 }
1002 ],
1003 "splitBy": [],
1004 "aggregation": "Sum"
1005 }
1006 },
1007 {
1008 "name": "Version",
1009 "value": "1.0"
1010 },
1011 {
1012 "name": "DashboardId",
1013 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1014 },
1015 {
1016 "name": "PartId",
1017 "value": "ee0d3076-bcc6-4ad4-b66d-863b639a9f65"
1018 },
1019 {
1020 "name": "PartTitle",
1021 "value": "Analytics"
1022 },
1023 {
1024 "name": "PartSubTitle",
1025 "value": " "
1026 },
1027 {
1028 "name": "resourceTypeMode",
1029 "value": "workspace"
1030 },
1031 {
1032 "name": "ControlType",
1033 "value": "AnalyticsDonut"
1034 },
1035 {
1036 "name": "SpecificChart",
1037 "isOptional": true
1038 }
1039 ],
1040 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1041 "settings": {
1042 "content": {
1043 "PartTitle": "Allowed malicious traffic",
1044 "PartSubTitle": " "
1045 }
1046 },
1047 "asset": {
1048 "idInputName": "ComponentId",
1049 "type": "ApplicationInsights"
1050 }
1051 }
1052 },
1053 "15": {
1054 "position": {
1055 "x": 10,
1056 "y": 15,
1057 "colSpan": 5,
1058 "rowSpan": 3
1059 },
1060 "metadata": {
1061 "inputs": [
1062 {
1063 "name": "ComponentId",
1064 "value": {
1065 "SubscriptionId": "{Subscription_Id}",
1066 "ResourceGroup": "{Resource_Group}",
1067 "Name": "{Workspace_Name}",
1068 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1069 }
1070 },
1071 {
1072 "name": "Query",
1073 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize DeniedInFlows = sum(DeniedInFlows_d) by L4Protocol_s | sort by DeniedInFlows desc\n| extend L4Protocol_s = replace(\"T\", \"TCP\", L4Protocol_s)\n| extend L4Protocol = replace(\"U\", \"UDP\", L4Protocol_s)\n| project L4Protocol, DeniedInFlows\n"
1074 },
1075 {
1076 "name": "TimeRange",
1077 "value": "P1D"
1078 },
1079 {
1080 "name": "Dimensions",
1081 "value": {
1082 "xAxis": {
1083 "name": "L4Protocol",
1084 "type": "String"
1085 },
1086 "yAxis": [
1087 {
1088 "name": "DeniedInFlows",
1089 "type": "Double"
1090 }
1091 ],
1092 "splitBy": [],
1093 "aggregation": "Sum"
1094 }
1095 },
1096 {
1097 "name": "Version",
1098 "value": "1.0"
1099 },
1100 {
1101 "name": "DashboardId",
1102 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1103 },
1104 {
1105 "name": "PartId",
1106 "value": "23e35aa1-d859-437a-8d7c-00cb6b4fa3d7"
1107 },
1108 {
1109 "name": "PartTitle",
1110 "value": "Analytics"
1111 },
1112 {
1113 "name": "PartSubTitle",
1114 "value": " "
1115 },
1116 {
1117 "name": "resourceTypeMode",
1118 "value": "workspace"
1119 },
1120 {
1121 "name": "ControlType",
1122 "value": "AnalyticsDonut"
1123 },
1124 {
1125 "name": "SpecificChart",
1126 "isOptional": true
1127 }
1128 ],
1129 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1130 "settings": {
1131 "content": {
1132 "PartTitle": "Denied malicious traffic",
1133 "PartSubTitle": " "
1134 }
1135 },
1136 "asset": {
1137 "idInputName": "ComponentId",
1138 "type": "ApplicationInsights"
1139 }
1140 }
1141 },
1142 "16": {
1143 "position": {
1144 "x": 15,
1145 "y": 15,
1146 "colSpan": 10,
1147 "rowSpan": 6
1148 },
1149 "metadata": {
1150 "inputs": [
1151 {
1152 "name": "ComponentId",
1153 "value": {
1154 "SubscriptionId": "{Subscription_Id}",
1155 "ResourceGroup": "{Resource_Group}",
1156 "Name": "{Workspace_Name}",
1157 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1158 }
1159 },
1160 {
1161 "name": "Query",
1162 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d), AllowedInFlows = sum(AllowedInFlows_d), DeniedInFlows = sum(DeniedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by AllowedInFlows desc | limit 10\n"
1163 },
1164 {
1165 "name": "TimeRange",
1166 "value": "P1D"
1167 },
1168 {
1169 "name": "Version",
1170 "value": "1.0"
1171 },
1172 {
1173 "name": "DashboardId",
1174 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1175 },
1176 {
1177 "name": "PartId",
1178 "value": "446bee72-6961-4d7e-8503-1de0aa85c3fa"
1179 },
1180 {
1181 "name": "PartTitle",
1182 "value": "Analytics"
1183 },
1184 {
1185 "name": "PartSubTitle",
1186 "value": " "
1187 },
1188 {
1189 "name": "resourceTypeMode",
1190 "value": "workspace"
1191 },
1192 {
1193 "name": "ControlType",
1194 "value": "AnalyticsGrid"
1195 },
1196 {
1197 "name": "Dimensions",
1198 "isOptional": true
1199 },
1200 {
1201 "name": "SpecificChart",
1202 "isOptional": true
1203 }
1204 ],
1205 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1206 "settings": {
1207 "content": {
1208 "PartTitle": "Malicious traffic, by application ports",
1209 "PartSubTitle": " ",
1210 "GridColumnsWidth": {
1211 "L7Protocol": "154px",
1212 "FlowCount": "123px",
1213 "AllowedInFlows": "134px",
1214 "DeniedInFlows": "179px"
1215 }
1216 }
1217 },
1218 "asset": {
1219 "idInputName": "ComponentId",
1220 "type": "ApplicationInsights"
1221 }
1222 }
1223 },
1224 "17": {
1225 "position": {
1226 "x": 0,
1227 "y": 18,
1228 "colSpan": 5,
1229 "rowSpan": 3
1230 },
1231 "metadata": {
1232 "inputs": [
1233 {
1234 "name": "ComponentId",
1235 "value": {
1236 "SubscriptionId": "{Subscription_Id}",
1237 "ResourceGroup": "{Resource_Group}",
1238 "Name": "{Workspace_Name}",
1239 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1240 }
1241 },
1242 {
1243 "name": "Query",
1244 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize FlowCount = sum(FlowCount_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by FlowCount desc | limit 10\n"
1245 },
1246 {
1247 "name": "TimeRange",
1248 "value": "P1D"
1249 },
1250 {
1251 "name": "Dimensions",
1252 "value": {
1253 "xAxis": {
1254 "name": "L7Protocol",
1255 "type": "String"
1256 },
1257 "yAxis": [
1258 {
1259 "name": "FlowCount",
1260 "type": "Double"
1261 }
1262 ],
1263 "splitBy": [],
1264 "aggregation": "Sum"
1265 }
1266 },
1267 {
1268 "name": "Version",
1269 "value": "1.0"
1270 },
1271 {
1272 "name": "DashboardId",
1273 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1274 },
1275 {
1276 "name": "PartId",
1277 "value": "a581e53a-045c-4ca3-8868-4448e8902db4"
1278 },
1279 {
1280 "name": "PartTitle",
1281 "value": "Analytics"
1282 },
1283 {
1284 "name": "PartSubTitle",
1285 "value": " "
1286 },
1287 {
1288 "name": "resourceTypeMode",
1289 "value": "workspace"
1290 },
1291 {
1292 "name": "ControlType",
1293 "value": "AnalyticsDonut"
1294 },
1295 {
1296 "name": "SpecificChart",
1297 "isOptional": true
1298 }
1299 ],
1300 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1301 "settings": {
1302 "content": {
1303 "PartTitle": "Malicious traffic, by application ports",
1304 "PartSubTitle": " "
1305 }
1306 },
1307 "asset": {
1308 "idInputName": "ComponentId",
1309 "type": "ApplicationInsights"
1310 }
1311 }
1312 },
1313 "18": {
1314 "position": {
1315 "x": 5,
1316 "y": 18,
1317 "colSpan": 5,
1318 "rowSpan": 3
1319 },
1320 "metadata": {
1321 "inputs": [
1322 {
1323 "name": "ComponentId",
1324 "value": {
1325 "SubscriptionId": "{Subscription_Id}",
1326 "ResourceGroup": "{Resource_Group}",
1327 "Name": "{Workspace_Name}",
1328 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1329 }
1330 },
1331 {
1332 "name": "Query",
1333 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize AllowedInFlows = sum(AllowedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by AllowedInFlows desc | limit 10\n"
1334 },
1335 {
1336 "name": "TimeRange",
1337 "value": "P1D"
1338 },
1339 {
1340 "name": "Dimensions",
1341 "value": {
1342 "xAxis": {
1343 "name": "L7Protocol",
1344 "type": "String"
1345 },
1346 "yAxis": [
1347 {
1348 "name": "AllowedInFlows",
1349 "type": "Double"
1350 }
1351 ],
1352 "splitBy": [],
1353 "aggregation": "Sum"
1354 }
1355 },
1356 {
1357 "name": "Version",
1358 "value": "1.0"
1359 },
1360 {
1361 "name": "DashboardId",
1362 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1363 },
1364 {
1365 "name": "PartId",
1366 "value": "14711d70-ad42-496f-ae9c-eb1a4cb5841f"
1367 },
1368 {
1369 "name": "PartTitle",
1370 "value": "Analytics"
1371 },
1372 {
1373 "name": "PartSubTitle",
1374 "value": " "
1375 },
1376 {
1377 "name": "resourceTypeMode",
1378 "value": "workspace"
1379 },
1380 {
1381 "name": "ControlType",
1382 "value": "AnalyticsDonut"
1383 },
1384 {
1385 "name": "SpecificChart",
1386 "isOptional": true
1387 }
1388 ],
1389 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1390 "settings": {
1391 "content": {
1392 "PartTitle": "Allowed malicious traffic, by application ports",
1393 "PartSubTitle": " "
1394 }
1395 },
1396 "asset": {
1397 "idInputName": "ComponentId",
1398 "type": "ApplicationInsights"
1399 }
1400 }
1401 },
1402 "19": {
1403 "position": {
1404 "x": 10,
1405 "y": 18,
1406 "colSpan": 5,
1407 "rowSpan": 3
1408 },
1409 "metadata": {
1410 "inputs": [
1411 {
1412 "name": "ComponentId",
1413 "value": {
1414 "SubscriptionId": "{Subscription_Id}",
1415 "ResourceGroup": "{Resource_Group}",
1416 "Name": "{Workspace_Name}",
1417 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1418 }
1419 },
1420 {
1421 "name": "Query",
1422 "value": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend Subnet1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet1_s, iif(FlowDirection_s == 'O', Subnet_s, '' )), Subnet2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), Subnet2_s, iif(FlowDirection_s == 'I', Subnet_s, '' ))\n| extend VM1 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM1_s, iif(FlowDirection_s == 'O', VM_s, '' )), VM2 = iif(FlowType_s in ('InterVNet','IntraVNet'), VM2_s, iif(FlowDirection_s == 'I', VM_s, '' ))\n| extend Subscription1 = iif(FlowType_s == 'InterVNet',Subscription1_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'O', Subscription_g, '')), Subscription2 = iif(FlowType_s == 'InterVNet', Subscription2_g, iif(FlowType_s == 'IntraVNet' or FlowDirection_s == 'I', Subscription_g, ''))\n| extend NIC1 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC1_s, iif(FlowDirection_s == 'O', NIC_s, '')), NIC2 = iif(FlowType_s in ('InterVNet', 'IntraVNet'), NIC2_s, iif(FlowDirection_s == 'I', NIC_s, ''))\n| extend SrcIP = iif(isnotempty(SrcIP_s), SrcIP_s, iif(FlowDirection_s == 'O', VMIP_s, '')), DestIP = iif(isnotempty(DestIP_s), DestIP_s, iif(FlowDirection_s == 'I', VMIP_s, ''))\n| extend CountryOrRegion = iif(FlowType_s == 'AzurePublic', AzureRegion_s, Country_s)\n| extend FlowDirection_s = iif(FlowType_s in ('InterVNet','IntraVNet'), '', FlowDirection_s)\n| where FlowDirection_s == \"I\"\n| summarize DeniedInFlows = sum(DeniedInFlows_d) by L7Protocol = strcat(L7Protocol_s, ' (', toint(DestPort_d), ')') | sort by DeniedInFlows desc | limit 10\n"
1423 },
1424 {
1425 "name": "TimeRange",
1426 "value": "P1D"
1427 },
1428 {
1429 "name": "Dimensions",
1430 "value": {
1431 "xAxis": {
1432 "name": "L7Protocol",
1433 "type": "String"
1434 },
1435 "yAxis": [
1436 {
1437 "name": "DeniedInFlows",
1438 "type": "Double"
1439 }
1440 ],
1441 "splitBy": [],
1442 "aggregation": "Sum"
1443 }
1444 },
1445 {
1446 "name": "Version",
1447 "value": "1.0"
1448 },
1449 {
1450 "name": "DashboardId",
1451 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1452 },
1453 {
1454 "name": "PartId",
1455 "value": "57e652ec-689c-4600-834c-359b2c396ab8"
1456 },
1457 {
1458 "name": "PartTitle",
1459 "value": "Analytics"
1460 },
1461 {
1462 "name": "PartSubTitle",
1463 "value": " "
1464 },
1465 {
1466 "name": "resourceTypeMode",
1467 "value": "workspace"
1468 },
1469 {
1470 "name": "ControlType",
1471 "value": "AnalyticsDonut"
1472 },
1473 {
1474 "name": "SpecificChart",
1475 "isOptional": true
1476 }
1477 ],
1478 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1479 "settings": {
1480 "content": {
1481 "PartTitle": "Denied malicious traffic, by application ports",
1482 "PartSubTitle": " "
1483 }
1484 },
1485 "asset": {
1486 "idInputName": "ComponentId",
1487 "type": "ApplicationInsights"
1488 }
1489 }
1490 },
1491 "20": {
1492 "position": {
1493 "x": 0,
1494 "y": 21,
1495 "colSpan": 25,
1496 "rowSpan": 1
1497 },
1498 "metadata": {
1499 "inputs": [],
1500 "type": "Extension/HubsExtension/PartType/MarkdownPart",
1501 "settings": {
1502 "content": {
1503 "settings": {
1504 "content": "<div style='font-size:300%;'>NSG rule hits by malicious traffic</div>",
1505 "title": "",
1506 "subtitle": ""
1507 }
1508 }
1509 }
1510 }
1511 },
1512 "21": {
1513 "position": {
1514 "x": 0,
1515 "y": 22,
1516 "colSpan": 8,
1517 "rowSpan": 4
1518 },
1519 "metadata": {
1520 "inputs": [
1521 {
1522 "name": "ComponentId",
1523 "value": {
1524 "SubscriptionId": "{Subscription_Id}",
1525 "ResourceGroup": "{Resource_Group}",
1526 "Name": "{Workspace_Name}",
1527 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1528 }
1529 },
1530 {
1531 "name": "Query",
1532 "value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'A'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by FullRule = strcat(nsg,'/',rule) | sort by TotalHits desc\n"
1533 },
1534 {
1535 "name": "TimeRange",
1536 "value": "P1D"
1537 },
1538 {
1539 "name": "Dimensions",
1540 "value": {
1541 "xAxis": {
1542 "name": "FullRule",
1543 "type": "String"
1544 },
1545 "yAxis": [
1546 {
1547 "name": "TotalHits",
1548 "type": "Int64"
1549 }
1550 ],
1551 "splitBy": [],
1552 "aggregation": "Sum"
1553 }
1554 },
1555 {
1556 "name": "Version",
1557 "value": "1.0"
1558 },
1559 {
1560 "name": "DashboardId",
1561 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1562 },
1563 {
1564 "name": "PartId",
1565 "value": "ab8c45fd-7690-4f40-8b38-fe69cf4b45da"
1566 },
1567 {
1568 "name": "PartTitle",
1569 "value": "Analytics"
1570 },
1571 {
1572 "name": "PartSubTitle",
1573 "value": " "
1574 },
1575 {
1576 "name": "resourceTypeMode",
1577 "value": "workspace"
1578 },
1579 {
1580 "name": "ControlType",
1581 "value": "AnalyticsChart"
1582 },
1583 {
1584 "name": "SpecificChart",
1585 "value": "Bar"
1586 }
1587 ],
1588 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1589 "settings": {
1590 "content": {
1591 "PartTitle": "NSG rules allowing inbound malicious traffic",
1592 "PartSubTitle": " "
1593 }
1594 },
1595 "asset": {
1596 "idInputName": "ComponentId",
1597 "type": "ApplicationInsights"
1598 }
1599 }
1600 },
1601 "22": {
1602 "position": {
1603 "x": 8,
1604 "y": 22,
1605 "colSpan": 17,
1606 "rowSpan": 4
1607 },
1608 "metadata": {
1609 "inputs": [
1610 {
1611 "name": "ComponentId",
1612 "value": {
1613 "SubscriptionId": "{Subscription_Id}",
1614 "ResourceGroup": "{Resource_Group}",
1615 "Name": "{Workspace_Name}",
1616 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1617 }
1618 },
1619 {
1620 "name": "Query",
1621 "value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'A'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by nsg, rule | sort by TotalHits desc\n"
1622 },
1623 {
1624 "name": "TimeRange",
1625 "value": "P1D"
1626 },
1627 {
1628 "name": "Version",
1629 "value": "1.0"
1630 },
1631 {
1632 "name": "DashboardId",
1633 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1634 },
1635 {
1636 "name": "PartId",
1637 "value": "e8144a1c-7e7c-4919-9e76-29880073d10d"
1638 },
1639 {
1640 "name": "PartTitle",
1641 "value": "Analytics"
1642 },
1643 {
1644 "name": "PartSubTitle",
1645 "value": " "
1646 },
1647 {
1648 "name": "resourceTypeMode",
1649 "value": "workspace"
1650 },
1651 {
1652 "name": "ControlType",
1653 "value": "AnalyticsGrid"
1654 },
1655 {
1656 "name": "Dimensions",
1657 "isOptional": true
1658 },
1659 {
1660 "name": "SpecificChart",
1661 "isOptional": true
1662 }
1663 ],
1664 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1665 "settings": {
1666 "content": {
1667 "PartTitle": "NSG rules allowing inbound malicious traffic",
1668 "PartSubTitle": " "
1669 }
1670 },
1671 "asset": {
1672 "idInputName": "ComponentId",
1673 "type": "ApplicationInsights"
1674 }
1675 }
1676 },
1677 "23": {
1678 "position": {
1679 "x": 0,
1680 "y": 26,
1681 "colSpan": 8,
1682 "rowSpan": 4
1683 },
1684 "metadata": {
1685 "inputs": [
1686 {
1687 "name": "ComponentId",
1688 "value": {
1689 "SubscriptionId": "{Subscription_Id}",
1690 "ResourceGroup": "{Resource_Group}",
1691 "Name": "{Workspace_Name}",
1692 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1693 }
1694 },
1695 {
1696 "name": "Query",
1697 "value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'D'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by FullRule = strcat(nsg,'/',rule) | sort by TotalHits desc\n"
1698 },
1699 {
1700 "name": "TimeRange",
1701 "value": "P1D"
1702 },
1703 {
1704 "name": "Dimensions",
1705 "value": {
1706 "xAxis": {
1707 "name": "FullRule",
1708 "type": "String"
1709 },
1710 "yAxis": [
1711 {
1712 "name": "TotalHits",
1713 "type": "Int64"
1714 }
1715 ],
1716 "splitBy": [],
1717 "aggregation": "Sum"
1718 }
1719 },
1720 {
1721 "name": "Version",
1722 "value": "1.0"
1723 },
1724 {
1725 "name": "DashboardId",
1726 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1727 },
1728 {
1729 "name": "PartId",
1730 "value": "dbd0e852-b102-473d-ab19-20cd49d7076e"
1731 },
1732 {
1733 "name": "PartTitle",
1734 "value": "Analytics"
1735 },
1736 {
1737 "name": "PartSubTitle",
1738 "value": " "
1739 },
1740 {
1741 "name": "resourceTypeMode",
1742 "value": "workspace"
1743 },
1744 {
1745 "name": "ControlType",
1746 "value": "AnalyticsChart"
1747 },
1748 {
1749 "name": "SpecificChart",
1750 "value": "Bar"
1751 }
1752 ],
1753 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1754 "settings": {
1755 "content": {
1756 "PartTitle": "NSG rules denying inbound malicious traffic",
1757 "PartSubTitle": " "
1758 }
1759 },
1760 "asset": {
1761 "idInputName": "ComponentId",
1762 "type": "ApplicationInsights"
1763 }
1764 }
1765 },
1766 "24": {
1767 "position": {
1768 "x": 8,
1769 "y": 26,
1770 "colSpan": 17,
1771 "rowSpan": 4
1772 },
1773 "metadata": {
1774 "inputs": [
1775 {
1776 "name": "ComponentId",
1777 "value": {
1778 "SubscriptionId": "{Subscription_Id}",
1779 "ResourceGroup": "{Resource_Group}",
1780 "Name": "{Workspace_Name}",
1781 "ResourceId": "/subscriptions/{Subscription_Id}/resourcegroups/{Resource_Group}/providers/microsoft.operationalinsights/workspaces/{Workspace_Name}"
1782 }
1783 },
1784 {
1785 "name": "Query",
1786 "value": "AzureNetworkAnalytics_CL \n| where SubType_s == 'FlowLog' and FASchemaVersion_s == '1' and FlowType_s == 'MaliciousFlow'\n| extend nsgList = split(NSGList_s, ' ') | extend nsgRuleList = split(NSGRules_s, ' ') | mvexpand nsgRule = nsgRuleList | extend nsgRuleSplit = split(nsgRule, '|') \n| extend nsg = tostring(nsgList[toint(nsgRuleSplit[0])]), rule = tostring(nsgRuleSplit[1]), countHits = nsgRuleSplit[4], direction = tostring(nsgRuleSplit[2]) \n| extend prefixStrippedRule = replace('defaultrule_','', replace('userrule_','', rule))\n| extend completeNsgRule = strcat(nsg, '/', prefixStrippedRule) \n| where direction == 'I' and FlowStatus_s == 'D'\n| summarize rule_hits = sum(toint(countHits)) by nsg, rule, SourceIP=iif(isempty(SrcIP_s), 'N/A', SrcIP_s), DestIP=iif(isempty(DestIP_s),'N/A',DestIP_s), Country=iif(isempty(Country_s),'N/A',Country_s), Region=iif(isempty(Region_s),'N/A',Region_s), Subnet=iif(isempty(Subnet_s),'N/A',Subnet_s), NIC=iif(isempty(NIC_s),'N/A',NIC_s)\n| summarize TotalHits = sum(rule_hits) by nsg, rule | sort by TotalHits desc\n"
1787 },
1788 {
1789 "name": "TimeRange",
1790 "value": "P1D"
1791 },
1792 {
1793 "name": "Version",
1794 "value": "1.0"
1795 },
1796 {
1797 "name": "DashboardId",
1798 "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureNetworkWatcher_{Workspace_Name}"
1799 },
1800 {
1801 "name": "PartId",
1802 "value": "4d6b1d18-02f4-4da2-957b-2207248d994c"
1803 },
1804 {
1805 "name": "PartTitle",
1806 "value": "Analytics"
1807 },
1808 {
1809 "name": "PartSubTitle",
1810 "value": " "
1811 },
1812 {
1813 "name": "resourceTypeMode",
1814 "value": "workspace"
1815 },
1816 {
1817 "name": "ControlType",
1818 "value": "AnalyticsGrid"
1819 },
1820 {
1821 "name": "Dimensions",
1822 "isOptional": true
1823 },
1824 {
1825 "name": "SpecificChart",
1826 "isOptional": true
1827 }
1828 ],
1829 "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
1830 "settings": {
1831 "content": {
1832 "PartTitle": "NSG rules denying inbound malicious traffic",
1833 "PartSubTitle": " ",
1834 "GridColumnsWidth": {
1835 "nsg": "168px",
1836 "rule": "20.3399658203125px",
1837 "TotalHits": "168px"
1838 }
1839 }
1840 },
1841 "asset": {
1842 "idInputName": "ComponentId",
1843 "type": "ApplicationInsights"
1844 }
1845 }
1846 },
1847 "25": {
1848 "position": {
1849 "x": 0,
1850 "y": 0,
1851 "colSpan": 1,
1852 "rowSpan": 1
1853 },
1854 "metadata": {
1855 "inputs": [
1856 {
1857 "name": "subscriptionId",
1858 "value": "{Subscription_Id}"
1859 },
1860 {
1861 "name": "resourceGroup",
1862 "value": "{Resource_Group}"
1863 },
1864 {
1865 "name": "workspaceName",
1866 "value": "{Workspace_Name}"
1867 },
1868 {
1869 "name": "menuItemToOpen",
1870 "value": "Dashboards"
1871 }
1872 ],
1873 "type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
1874 "defaultMenuItemId": "0"
1875 }
1876 }
1877 }
1878 }
1879 }
1880 }
1881}