{ "version": "Notebook/1.0", "items": [ { "type": 1, "content": { "json": "## pfSense\n---" }, "name": "text - 2" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "cb8a6a65-1237-4d20-be53-03207a5f9cf3", "version": "KqlParameterItem/1.0", "name": "TimeRange", "type": 4, "isRequired": true, "value": { "durationMs": 86400000 }, "typeSettings": { "selectableValues": [ { "durationMs": 300000 }, { "durationMs": 900000 }, { "durationMs": 1800000 }, { "durationMs": 3600000 }, { "durationMs": 14400000 }, { "durationMs": 43200000 }, { "durationMs": 86400000 }, { "durationMs": 172800000 }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, { "durationMs": 1209600000 }, { "durationMs": 2419200000 }, { "durationMs": 2592000000 }, { "durationMs": 5184000000 }, { "durationMs": 7776000000 } ] }, "timeContext": { "durationMs": 86400000 }, "timeContextFromParameter": "TimeRange" }, { "id": "bbdbe4f4-ac36-4cdc-8e79-2e70b3e2e2bb", "version": "KqlParameterItem/1.0", "name": "Interface", "type": 2, "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", "query": "CommonSecurityLog\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by DeviceInboundInterface\r\n| order by Count desc, DeviceInboundInterface asc\r\n| project Value = DeviceInboundInterface, Label = strcat(DeviceInboundInterface, ' - ', Count)", "value": [ "value::all" ], "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false }, "timeContext": { "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\n| summarize Total = count()", "size": 3, "title": "Total Firewall Events", "timeContext": { "durationMs": 86400000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "card", "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "TenantId", "formatter": 1 }, "leftContent": { "columnMatch": "DestinationPort", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "textSettings": { "style": "bignumber" } }, "name": "query - 2" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by bin(TimeGenerated, {TimeRange:grain}), DeviceInboundInterface", "size": 3, "title": "Events by Interface", "timeContext": { "durationMs": 86400000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "linechart" }, "name": "query - 3" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| where DeviceAction == \"block\"\r\n| summarize Count = count() by SourceIP\r\n| sort by Count desc\r\n| take 10", "size": 0, "title": "Top 10 Blocked IPs", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "query - 4", "styleSettings": { "maxWidth": "50%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| where DeviceAction == \"pass\"\r\n| summarize Count = count() by SourceIP\r\n| sort by Count desc\r\n| take 10", "size": 3, "title": "Top 10 Allowed IPs", "timeContext": { "durationMs": 86400000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "query - 5", "styleSettings": { "maxWidth": "50%" } }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "CommonSecurityLog\r\n| where \"{Interface:lable}\" == \"All\" or DeviceInboundInterface in ({Interface})\r\n| where DeviceProduct == \"pfsense\" and DeviceEventClassID == \"filterlog\"\r\n| summarize Count = count() by SourcePort, Protocol\r\n| project Protocol = strcat(Protocol,'-',SourcePort), Count \r\n| sort by Count desc", "size": 3, "title": "Protocol and Port", "timeContext": { "durationMs": 86400000 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart", "tileSettings": { "showBorder": false, "titleContent": { "columnMatch": "Protocol", "formatter": 1 }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { "palette": "auto" }, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } }, "graphSettings": { "type": 0, "topContent": { "columnMatch": "Protocol", "formatter": 1 }, "centerContent": { "columnMatch": "Count", "formatter": 1, "numberFormat": { "unit": 17, "options": { "maximumSignificantDigits": 3, "maximumFractionDigits": 2 } } } } }, "customWidth": "50", "name": "query - 6", "styleSettings": { "maxWidth": "50" } } ], "fromTemplateId": "sentinel-pfsense", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }