{
  "name": "AzureFirewall-{Workspace_Name}",
  "type": "Microsoft.Portal/dashboards",
  "location": "{Dashboard_Location}",
  "tags": {
    "dashboardKey": "AzureFirewall",
    "hidden-title": "Azure Firewall - {Workspace_Name}",
    "version": "1.1",
    "workspaceName": "{Workspace_Name}"
},
  "properties": {
    "lenses": {
      "0": {
        "order": 0,
        "parts": {
          "0": {
            "position": {
              "x": 0,
              "y": 0,
              "colSpan": 1,
              "rowSpan": 1
            },
            "metadata": {
              "inputs": [
                {
                  "name": "subscriptionId",
                  "value": "{Subscription_Id}"
                },
                {
                  "name": "resourceGroup",
                  "value": "{Resource_Group}"
                },
                {
                  "name": "workspaceName",
                  "value": "{Workspace_Name}"
                },
                {
                  "name": "dashboardName",
                  "value": "AzureFirewall"
                },
                {
                  "name": "menuItemToOpen",
                  "value": "Dashboards"
                }
              ],
              "type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
              "defaultMenuItemId": "0"
            }
          },
          "1": {
            "position": {
              "x": 1,
              "y": 0,
              "colSpan": 15,
              "rowSpan": 1
            },
            "metadata": {
              "inputs": [],
              "type": "Extension/HubsExtension/PartType/MarkdownPart",
              "settings": {
                "content": {
                  "settings": {
                    "content": "<div style='font-size:300%;'>Azure Firewall - overview</div>\n\n",
                    "title": "",
                    "subtitle": ""
                  }
                }
              }
            }
          },
          "2": {
            "position": {
              "x": 16,
              "y": 0,
              "colSpan": 2,
              "rowSpan": 1
            },
            "metadata": {
              "inputs": [],
              "type": "Extension/HubsExtension/PartType/MarkdownPart",
              "settings": {
                "content": {
                  "settings": {
                    "content": "<img width='50' height='50' src='https://106c4.wpc.azureedge.net/80106C4/Gallery-Prod/cdn/2015-02-24/prod20161101-microsoft-windowsazure-gallery/microsoft.AzureFirewall-Arm.1.0.4/Icons/Large.png'/> ",
                    "title": "",
                    "subtitle": ""
                  }
                }
              }
            }
          },
          "3": {
            "position": {
              "x": 0,
              "y": 1,
              "colSpan": 9,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by TimeGenerated\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "Volume",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "7a279309-4d2d-4c29-821e-88bb0e4c660e"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Events, by time",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "4": {
            "position": {
              "x": 9,
              "y": 1,
              "colSpan": 9,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize count() by Category, TimeGenerated\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [
                      {
                        "name": "Category",
                        "type": "String"
                      }
                    ],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "e43210b9-219e-4454-a92e-d89ac851c6d3"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Event categories, by time",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "5": {
            "position": {
              "x": 0,
              "y": 5,
              "colSpan": 9,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| summarize amount = count() by Resource, ResourceGroup\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "ecd5abf3-394c-44e4-8034-8ff96464d8d5"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsGrid"
                },
                {
                  "name": "Dimensions",
                  "isOptional": true
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Firewall per resource group",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "6": {
            "position": {
              "x": 9,
              "y": 5,
              "colSpan": 9,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\" | summarize count() by Category\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "Category",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "ae80cad7-a26d-4e0a-9603-203e5365d97f"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Events, by category",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "7": {
            "position": {
              "x": 0,
              "y": 9,
              "colSpan": 18,
              "rowSpan": 1
            },
            "metadata": {
              "inputs": [],
              "type": "Extension/HubsExtension/PartType/MarkdownPart",
              "settings": {
                "content": {
                  "settings": {
                    "content": "<div style='font-size:300%;'>Azure Firewall - Application rule log statitics</div>\r\n",
                    "title": "",
                    "subtitle": ""
                  }
                }
              }
            }
          },
          "8": {
            "position": {
              "x": 0,
              "y": 10,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" |  summarize Amount=dcount(SourceIP) by SourceIP\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "SourceIP",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "Amount",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "a7f860b9-cb1c-48a4-9f3a-d67ec9834370"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Unique source IP addresses",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "9": {
            "position": {
              "x": 6,
              "y": 10,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "URL",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "dc3e7d37-725c-4ad1-9c0c-7d386d962b7b"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Allowed URL addresses",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "10": {
            "position": {
              "x": 12,
              "y": 10,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "URL",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "702f6197-4bd9-404f-b2ec-7d5cfa07636d"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Denied URL addresses",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "11": {
            "position": {
              "x": 0,
              "y": 14,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" |  summarize Amount=dcount(SourceIP) by SourceIP, Protocol, URL = FQDN, TargetPortInt, Action\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "6a54bcd1-42b4-45fa-b1a9-3465cb7b0589"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsGrid"
                },
                {
                  "name": "Dimensions",
                  "isOptional": true
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Unique source IP addresses",
                  "PartSubTitle": "",
                  "GridColumnsWidth": {
                    "Protocol": "90px",
                    "SourceIP": "98px",
                    "TargetPortInt": "102px"
                  }
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "12": {
            "position": {
              "x": 6,
              "y": 14,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [
                      {
                        "name": "URL",
                        "type": "String"
                      }
                    ],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "9ec8a61b-0e04-40be-9b41-139ff2aff5f5"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Allowed URL addresses, by time",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "13": {
            "position": {
              "x": 12,
              "y": 14,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a),  RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [
                      {
                        "name": "URL",
                        "type": "String"
                      }
                    ],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "c75ebea2-305d-4e9a-b4c1-06216e50e4d7"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Denied URL addresses, by time",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "14": {
            "position": {
              "x": 0,
              "y": 18,
              "colSpan": 18,
              "rowSpan": 1
            },
            "metadata": {
              "inputs": [],
              "type": "Extension/HubsExtension/PartType/MarkdownPart",
              "settings": {
                "content": {
                  "settings": {
                    "content": "<div style='font-size:300%;'>Azure Firewall - Network rule log statistics</div>\n",
                    "title": "",
                    "subtitle": ""
                  }
                }
              }
            }
          },
          "15": {
            "position": {
              "x": 0,
              "y": 19,
              "colSpan": 18,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| parse msg_s with Protocol \" request from\" SourceIP \":\" SourcePortInt:int \" to\" TargetIP \":\" TargetPortInt:int *\r\n| parse msg_s with * \". Action: \" Action1a\r\n| parse msg_s with * \" was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from\" SourceIP2 \" to\" TargetIP2 \". Action:\" Action2\r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)\r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)\r\n| summarize count() by Action, TimeGenerated\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "count_",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [
                      {
                        "name": "Action",
                        "type": "String"
                      }
                    ],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "a61bc484-e9cd-4f0a-b1bc-4020bd406116"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Actions, by time",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "16": {
            "position": {
              "x": 0,
              "y": 23,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \r\n| summarize amount = count() by Action\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "Action",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "amount",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "29ea3ed2-1d64-492d-82d9-8b36189187c8"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Rule actions",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "17": {
            "position": {
              "x": 6,
              "y": 23,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \r\n| summarize Count=count() by TargetPort\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TargetPort",
                      "type": "String"
                    },
                    "yAxis": [
                      {
                        "name": "Count",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "27824317-7840-48a5-8dc0-3e0d4690f7fc"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsDonut"
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Target ports",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "18": {
            "position": {
              "x": 12,
              "y": 23,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "f2c4c8ee-2219-4fa4-a88f-32106cafecdc"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsGrid"
                },
                {
                  "name": "Dimensions",
                  "isOptional": true
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "DNAT actions",
                  "PartSubTitle": "",
                  "Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination\n"
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "19": {
            "position": {
              "x": 0,
              "y": 27,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \r\n| summarize amount = count() by Action , SourceIP\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "6ca03d53-d42c-4267-87e9-3930b7e92b95"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsGrid"
                },
                {
                  "name": "Dimensions",
                  "isOptional": true
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Rule actions, by IP addresses",
                  "PartSubTitle": ""
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "20": {
            "position": {
              "x": 6,
              "y": 27,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", \r\nProtocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), \r\nNatDestination = case(NatDestination == \"\", \r\n\"N/A\", NatDestination)  \r\n| summarize AMOUNT=count() by TargetPort, SourceIP\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "a9fbfe30-b16d-44fc-bc24-98bad8a940a1"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsGrid"
                },
                {
                  "name": "Dimensions",
                  "isOptional": true
                },
                {
                  "name": "SpecificChart",
                  "isOptional": true
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "Analytics",
                  "PartSubTitle": "Target ports"
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          },
          "21": {
            "position": {
              "x": 12,
              "y": 27,
              "colSpan": 6,
              "rowSpan": 4
            },
            "metadata": {
              "inputs": [
                {
                  "name": "ComponentId",
                  "value": {
                    "SubscriptionId": "{Subscription_Id}",
                    "ResourceGroup": "{Resource_Group}",
                    "Name": "{Workspace_Name}",
                    "ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
                  }
                },
                {
                  "name": "Query",
                  "value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination, TimeGenerated\r\n"
                },
                {
                  "name": "TimeRange",
                  "value": "P1D"
                },
                {
                  "name": "Dimensions",
                  "value": {
                    "xAxis": {
                      "name": "TimeGenerated",
                      "type": "DateTime"
                    },
                    "yAxis": [
                      {
                        "name": "Amount",
                        "type": "Int64"
                      }
                    ],
                    "splitBy": [
                      {
                        "name": "NatDestination",
                        "type": "String"
                      }
                    ],
                    "aggregation": "Sum"
                  }
                },
                {
                  "name": "Version",
                  "value": "1.0"
                },
                {
                  "name": "DashboardId",
                  "value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
                },
                {
                  "name": "PartId",
                  "value": "1aa875a4-df6b-41e5-9723-b7b78e0568ae"
                },
                {
                  "name": "PartTitle",
                  "value": "Analytics"
                },
                {
                  "name": "PartSubTitle",
                  "value": ""
                },
                {
                  "name": "resourceTypeMode",
                  "value": "workspace"
                },
                {
                  "name": "ControlType",
                  "value": "AnalyticsChart"
                },
                {
                  "name": "SpecificChart",
                  "value": "Line"
                }
              ],
              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
              "settings": {
                "content": {
                  "PartTitle": "DNAT'ed over time",
                  "PartSubTitle": "",
                  "Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)  \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination, TimeGenerated\n"
                }
              },
              "asset": {
                "idInputName": "ComponentId",
                "type": "ApplicationInsights"
              }
            }
          }
        }
      }
    }
  }
}