Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update AzureFirewallWorkbook-StructuredLogs.json

This commit is contained in:
PrasadBoke 2023-06-13 14:46:35 +05:30
Родитель c31c6443f3
Коммит 1175cb4f2f
1 изменённых файлов: 1 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Solutions/Azure Firewall/Workbooks/AzureFirewallWorkbook-StructuredLogs.json
Просмотреть файл

@ -398,7 +398,7 @@
{
"type": 1,
"content": {
"json": "##### What's on this page?\r\n\r\nThe Azure Firewall - DNS Proxy page has the following features.\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- DNS Traffic by count (Time scrub enabled)\r\n- DNS Proxy by Request Name, by Count*\r\n- DNS Proxy Request by ClientIP, by Count*\r\n- Count over time of Proxy Requests by ClientIP\r\n- Pre-parsed DNS Proxy data\r\n\r\n##### How to use this page?\r\n\r\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll see the DNS Proxy traffic count, this is a great way to start to narrow down the proxy traffic over a period of time. Example we're looking at the 14 day window, but there was an odd spike or dip in proxy traffic, why? use the time scrub feature to select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th.\r\n\r\nAfter adding our second time filter to the page, move forward to looking at the DNS requests. You might see a large spike in a specific DNS request, could be something you're not even familiar with. Using an example, i see a DNS request for \"md-fpp31tsvhx4s.blob.core.windows.net\" for 300K times in my current filters. By selecting this Request Name, it'll filter on the right showing me which clients are requesting this DNS traffic. Which after clicking on my request, i see 2 different IP addresses now. Oddly though, one is much smaller than the other. Lets select that Ip address to add an additional filter to the logs. Now we can see the logs related to that machine client ip, specifically around that DNS request name. This might help you narrow down if there are any actions that need to be taken on your firewall.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, specifically requires DNS Proxy Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
"json": "##### What's on this page?\r\n\r\nThe Azure Firewall - DNS Proxy page has the following features.\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- DNS Traffic by count (Time scrub enabled)\r\n- DNS Proxy by Request Name, by Count*\r\n- DNS Proxy Request by ClientIP, by Count*\r\n- Count over time of Proxy Requests by ClientIP\r\n- Pre-parsed DNS Proxy data\r\n\r\n##### How to use this page?\r\n\r\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll see the DNS Proxy traffic count, this is a great way to start to narrow down the proxy traffic over a period of time. Example we're looking at the 14 day window, but there was an odd spike or dip in proxy traffic, why? use the time scrub feature to select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th.\r\n\r\nAfter adding our second time filter to the page, move forward to looking at the DNS requests. You might see a large spike in a specific DNS request, could be something you're not even familiar with. Using an example, i see a DNS request for \"strcat('md-fpp31tsvhx4s.blob.core.', 'windows.', '.net')\"for 300K times in my current filters. By selecting this Request Name, it'll filter on the right showing me which clients are requesting this DNS traffic. Which after clicking on my request, i see 2 different IP addresses now. Oddly though, one is much smaller than the other. Lets select that Ip address to add an additional filter to the logs. Now we can see the logs related to that machine client ip, specifically around that DNS request name. This might help you narrow down if there are any actions that need to be taken on your firewall.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, specifically requires DNS Proxy Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
},
"conditionalVisibility": {
"parameterName": "selectedTab",