Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/Azure Firewall/Package/mainTemplate.json

7299 строки
733 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Azure Firewall"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Azure Firewall",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
},
"workbook2-name": {
"type": "string",
"defaultValue": "Azure Firewall Structured Logs",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
},
"variables": {
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Azure Firewall",
"_solutionVersion": "3.0.4",
"solutionId": "sentinel4azurefirewall.sentinel4azurefirewall",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.3.0",
"workbookContentId1": "AzureFirewallWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.0.0",
"workbookContentId2": "AzureFirewallWorkbook-StructuredLogs",
"workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]",
"workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
"uiConfigId1": "AzureFirewall",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AzureFirewall",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"AzureFirewallConnector": "AzureFirewallConnector",
"_AzureFirewallConnector": "[variables('AzureFirewallConnector')]",
"TemplateEmptyArray": "[json('[]')]",
"blanks": "[replace('b', 'b', '')]",
"playbookVersion1": "1.0",
"playbookContentId1": "AzureFirewallConnector",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]",
"_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"AzureFirewall-BlockIP-addToIPGroup": "AzureFirewall-BlockIP-addToIPGroup",
"_AzureFirewall-BlockIP-addToIPGroup": "[variables('AzureFirewall-BlockIP-addToIPGroup')]",
"playbookVersion2": "1.0",
"playbookContentId2": "AzureFirewall-BlockIP-addToIPGroup",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
"playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"AzureFirewall-AddIPtoTIAllowList": "AzureFirewall-AddIPtoTIAllowList",
"_AzureFirewall-AddIPtoTIAllowList": "[variables('AzureFirewall-AddIPtoTIAllowList')]",
"playbookVersion3": "1.0",
"playbookContentId3": "AzureFirewall-AddIPtoTIAllowList",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
"_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
"AzureFirewall-BlockIP-addNewRule": "AzureFirewall-BlockIP-addNewRule",
"_AzureFirewall-BlockIP-addNewRule": "[variables('AzureFirewall-BlockIP-addNewRule')]",
"playbookVersion4": "1.0",
"playbookContentId4": "AzureFirewall-BlockIP-addNewRule",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
"playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
"_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
"_huntingQuerycontentId1": "932fe71a-7a8c-4f35-bf88-321ab68ff562",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('932fe71a-7a8c-4f35-bf88-321ab68ff562')))]"
},
"huntingQueryObject2": {
"huntingQueryVersion2": "1.0.0",
"_huntingQuerycontentId2": "f055e82b-5ef6-4395-bc9e-99f7e451343a",
"huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f055e82b-5ef6-4395-bc9e-99f7e451343a')))]"
},
"huntingQueryObject3": {
"huntingQueryVersion3": "1.0.0",
"_huntingQuerycontentId3": "d006f4f8-86bb-4c9d-9826-837762ddad6b",
"huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d006f4f8-86bb-4c9d-9826-837762ddad6b')))]"
},
"huntingQueryObject4": {
"huntingQueryVersion4": "1.0.0",
"_huntingQuerycontentId4": "8812a547-13e6-4d0c-b38d-476fb7351c52",
"huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8812a547-13e6-4d0c-b38d-476fb7351c52')))]"
},
"huntingQueryObject5": {
"huntingQueryVersion5": "1.0.0",
"_huntingQuerycontentId5": "3d93fa57-53e5-4d5e-96d4-ad734a8df3a4",
"huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3d93fa57-53e5-4d5e-96d4-ad734a8df3a4')))]"
},
"analyticRuleObject1": {
"analyticRuleVersion1": "1.1.1",
"_analyticRulecontentId1": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e','-', '1.1.1')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.2.2",
"_analyticRulecontentId2": "720335f4-ee8c-4270-9424-d0859222168c",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '720335f4-ee8c-4270-9424-d0859222168c')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('720335f4-ee8c-4270-9424-d0859222168c')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','720335f4-ee8c-4270-9424-d0859222168c','-', '1.2.2')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.1.2",
"_analyticRulecontentId3": "b2c5907b-1040-4692-9802-9946031017e8",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2c5907b-1040-4692-9802-9946031017e8')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2c5907b-1040-4692-9802-9946031017e8')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c5907b-1040-4692-9802-9946031017e8','-', '1.1.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.1.2",
"_analyticRulecontentId4": "4644baf7-3464-45dd-bd9d-e07687e25f81",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4644baf7-3464-45dd-bd9d-e07687e25f81')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.2')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.1.1",
"_analyticRulecontentId5": "826f930c-2f25-4508-8e75-a95b809a4e15",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '826f930c-2f25-4508-8e75-a95b809a4e15')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('826f930c-2f25-4508-8e75-a95b809a4e15')))]",
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','826f930c-2f25-4508-8e75-a95b809a4e15','-', '1.1.1')))]"
},
"analyticRuleObject6": {
"analyticRuleVersion6": "1.1.1",
"_analyticRulecontentId6": "d36bb1e3-5abc-4037-ad9a-24ba3469819e",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd36bb1e3-5abc-4037-ad9a-24ba3469819e')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d36bb1e3-5abc-4037-ad9a-24ba3469819e')))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d36bb1e3-5abc-4037-ad9a-24ba3469819e','-', '1.1.1')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewallWorkbook Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/workbooks",
"name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure Firewall Workbook\\r\\n---\\r\\n\"},\"name\":\"text - 23\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20847ce8-91bc-4d8b-b878-a5a41c95c31c\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall Overview\",\"subTarget\":\"AFOverview\",\"preText\":\"Azure Firewall Overview\",\"style\":\"link\"},{\"id\":\"f564709d-1658-46a1-8b44-892210e13017\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Application rule log statistics\",\"subTarget\":\"AFAppRule\",\"style\":\"link\"},{\"id\":\"1f6661e2-f873-4d56-879d-4d085d8cf1d4\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Network rule log statistics\",\"subTarget\":\"AFNetRule\",\"style\":\"link\"},{\"id\":\"ef1548c5-ef55-4eaa-8a81-b049cb93b56c\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - DNS Proxy\",\"subTarget\":\"AFDNSProxy\",\"style\":\"link\"},{\"id\":\"18a4a585-2176-4d9f-907c-8e8d5f984efa\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall Premium - IDPS\",\"subTarget\":\"AFIDSIPS\",\"style\":\"link\"},{\"id\":\"97dc7364-961d-4c19-a730-7b9024f46b91\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Investigation\",\"subTarget\":\"AFInvestigate\",\"style\":\"link\"}]},\"name\":\"links - 24\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ab7d6c51-d7df-436c-96a2-429163aa50ec\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":false}},{\"id\":\"add90eb3-ff5f-4b19-9658-ff15c8043af5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, name\\r\\n| order by name desc\",\"crossComponentResources\":[\"value::selected\"],\"value\":[\"value::100\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::100\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"value::selected\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"13d9f6e9-9290-4b1e-b0d0-a7c0ebdc1aed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"description\":\"This will show some help information to help you understand the page you are on\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"Change Log\\\", \\\"label\\\": \\\"Change Log\\\"}\\r\\n]\"},{\"id\":\"68f2cb32-03d4-4307-8eb5-1f66dfc09a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirewallResources\",\"label\":\"Show Resources\",\"type\":2,\"description\":\"The is only used on the Overview page.\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\" }\\r\\n]\",\"value\":\"No\"},{\"id\":\"53aa8daf-29de-40a1-9147-c0970e32fac4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GeoLocation\",\"label\":\"GeoLocationCSV\",\"type\":2,\"description\":\"Supplied as a value for GeoLocation lookup on queries: Read more here - https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin#ipv4-lookup---matching-rows-only\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"\\r\\n[\\r\\n{\\r\\n\\\"value\\\": \\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\", \\\"label\\\": \\\"GeoLocationDefault\\\", \\\"selected\\\": \\\"true\\\" \\r\\n}\\r\\n]\\r\\n\\r\\n\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Overview - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|v1.0\\t|Initial Version|\\r\\n|V1.1.0\\t|Split up the data sets, Overview, Application Rule Logs, Network Rule Logs, DNS Proxy Logs. Added in Investigation visibility with Azure Firewall + Azure Graph. Added in visibility to multiple workspaces and filtering to Firewall resources. |\\r\\n|V1.2.0 | Added new filteres, \\\"Show Help\\\", \\\"Show Resources\\\", \\\"GeoLocationCSV\\\", Updated query parsing to the Overview queries. Improved overall performance in large data scale performance with new parsing requirements.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"}],\"name\":\"text - 40\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - App Rules - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|v1.0.0 | Initial Version\\r\\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added Web Category.\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"}],\"name\":\"text - 63\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - Network Rule - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.0.0 | Initial Version\\r\\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added in GeoLocation queries, updated main query to use GeoLocation data.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"}],\"name\":\"text - 64\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - DNSProxy - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.1.0 | Initial Version\\r\\n|V1.2.0 | No modifications were made\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"}],\"name\":\"text - 65\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall Prem - IDPS - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.2.0 | Initial Version\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"}],\"name\":\"text - 66\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall Prem - IDPS - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.0.0 | Initial Version\\r\\n|V1.2.0 | Added IDPS Logs to the investgation experience, Added in GeoLocation infromation. Updated the KQL logic to be faster for large data volume.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"}],\"name\":\"text - 67\"}]},\"name\":\"ChangeLogGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Overview page has the following features.\\r\\n\\r\\n- All Firewall Data Log Analytics Volume (Total)\\r\\n- All Firewall Data Log Analytics Volume (Per Firewall)\\r\\n- All Firewall Event Categories\\r\\n- All Firewall Event Categories over time\\r\\n- Azure Firewall Metrics data\\r\\n - Traffic\\r\\n - SNAT Port\\r\\n - Network Rule Count\\r\\n - Application Rule Count\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nStart by looking at the workbook filters, examples would be TimeRange, Workspace, Azure Firewall. Note these are filtered based on your azure portal settings of \\\"Default subscription filter\\\". Selecting more resources or more workspaces has an impact on speed of results depending on the data volume of your workspaces. Why TimeRange is a large factor when looking at looking at extremely large data sets of volume(example over 1 Billion logs) so multiple filters have been offered to finetune the results without having to build your own queries.\\r\\n\\r\\nIf this is your first time looking at this workbook, my suggestion is to use 14 days(this is the fastest cached data in Log Analytics), a single workspace, a single firewall, if you're wanting to see the results of one firewall. Best to know where your firewall is sending it's logs too to confirm you didn't select a workspace that doesn't have that firewalls data. How to check, go to the Azure Firewall, click Diagnostic settings, see what Log Analytics workspace is currently configured.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, and sending to workspace your azure ad user had RBAC permissions to. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\\r\\n- Azure Metrics requires resource permissions of the Firewall you're wanting data on. \"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"text - 59\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Application rule log statistics page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- Unique Source IP Address*\\r\\n- Application Rule Usage\\r\\n- Denied/Allowed FQDN over time\\r\\n- Denied/Allowed FQDN count\\r\\n- Denied/Allowed Web Categories over time\\r\\n- Denied/Allowed Web Categories count\\r\\n- Pre-parsed Azure Firewall Application Rule Logs with a search feature.\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see the unique source of IP addresses based on the global filters you have in place, this is showing only the top 10 IPAddresses, you can modify the KQL query to show more if needed if you click the \\\"Edit\\\" button. We added in the logic to show the volume over time, under the IP address/count information. If you click on the highest count (my example is 415,786 count, 10.0.24.4 ipaddress) it'll filter everything on the Application rule log statistic page to this IP address specifically. (Only Exception is the Rule Usage). Note this could cause other data sets to become blank as a result, sometimes you only have Approved or Denied access based on the configuration of the firewall.\\r\\n\\r\\nIf you're wanting to search for something a little more specific other than IPAddress filter, you can use the \\\"Search\\\" bar under the \\\"All IP Address events\\\" query to create a custom filter to the parsed logs. Example could be an FQDN \\\"wdcp.microsoft.com\\\" to pull up those logs specifically with that name in it.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires Application Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Network rule log statistics page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- Rule Actions*\\r\\n\\r\\n- Target Ports*\\r\\n\\r\\n- DNAT Actions*\\r\\n\\r\\n- GeoLocation\\r\\n\\r\\n- Actions over time(Time scrub enabled)\\r\\n\\r\\n- Pre-parsed Network Rule data with GeoLocation added\\r\\n\\r\\n *Note: GeoLocation is using an public file, you have to modify your GeoLocation Global Filter tab to add your own data.*\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll get see pie charts on the screen, each of these can be clicked on to filter the data below. You'll have to click on the color of the wheel in order to use the filter feature. Downfall of this, if it's an extremely small data set, its hard to click on that color due to the challenge of even seeing it. These filters are a top down approach, meaning what clicked on top, filters below. If you'd like, feel free to test this out now. Under \\\"Target Ports, filterable by Target Port\\\" find port 53 ( pretty common port). Click on the wheel with the color that's associated to port 53. You'll see everything change below only showing data that has port 53 associated to it. If you'd like to remove this filter you have a few options. \\r\\n\\r\\n1. Click the \\\"Go back\\\" at the top right of the wheel\\r\\n2. Refresh the whole workbook\\r\\n3. Refresh the whole browser window\\r\\n\\r\\n*A note about the new feature added \\\"GeoLocation\\\", this is public data shared through the Log Analytics developer team to show the feature to associate IP addresses with a GeoLocation file. This had been added to the workbook to show you what's possible, it's encouraged for you to use your own data which could be further enriched. If you had Lat/Long data, you could even add in a map feature into this workbook to show you where the traffic is mostly.*\\r\\n\\r\\nMid-way down the page you'll see the \\\"Actions, by time\\\", if we saw a large spike and wanted to lower the window of traffic, select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th. When i was looking over 14 days of time. This will filter the \\\"All IP Addresses events\\\" down to this new time window.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires Network Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - DNS Proxy page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- DNS Traffic by count (Time scrub enabled)\\r\\n- DNS Proxy by Request Name, by Count*\\r\\n- DNS Proxy Request by ClientIP, by Count*\\r\\n- Count over time of Proxy Requests by ClientIP\\r\\n- Pre-parsed DNS Proxy data\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see the DNS Proxy traffic count, this is a great way to start to narrow down the proxy traffic over a period of time. Example we're looking at the 14 day window, but there was an odd spike or dip in proxy traffic, why? use the time scrub feature to select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th.\\r\\n\\r\\nAfter adding our second time filter to the page, move forward to looking at the DNS requests. You might see a large spike in a specific DNS request, could be something you're not even familiar with. Using an example, i see a DNS request for \\\"strcat('md-fpp31tsvhx4s.blob.core.', 'windows.', '.net')\\\" for 300K times in my current filters. By selecting this Request Name, it'll filter on the right showing me which clients are requesting this DNS traffic. Which after clicking on my request, i see 2 different IP addresses now. Oddly though, one is much smaller than the other. Lets select that Ip address to add an additional filter to the logs. Now we can see the logs related to that machine client ip, specifically around that DNS request name. This might help you narrow down if there are any actions that need to be taken on your firewall.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires DNS Proxy Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall Premium- IDPS page has the following features.\\r\\n\\r\\n*As noted on the title, these logs are only created on the Azure Firewall Premium sku*\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- IDPS Actions Count*\\r\\n- IDPS Protocol Count*\\r\\n- IDPS SignatureID Count*\\r\\n- IDPS SourceIP Count*\\r\\n- Azure Firewall IDPS count over time (Time Scrub Enabled)\\r\\n- Azure Firewall IDPS logs with GeoLocation\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see Pie Charts offering multiple filtering options to your IDPS logs, showing Alerts, Protocols, SignatureIDs and Sources of the logs. Lets start by selecting an ClientIP address(SourceIP) under the \\\"IDPS SourceIP Count, filterable by SourceIP\\\". I clicked on the largest one, you might of noticed most of the traffic under the IDPS logs are alerts, Mostly TCP to this ClientIP address and there could be some specific SignatureID's are being triggered. Looking further into the logs, you should expand the Source IP to see the different IP Addresses this client has talked to within the past 14 days(current global filter). The majority of the traffic is going to XX.XX.XX.XX, which is something to remember.\\r\\n\\r\\nGoing further down, you might noticed a spike in traffic, lets use the time scrub feature to narrow down the time window to that spike. Start by selecting on the left side(where you're wanting to start time to be, before the event occurred) drag, and move it over to the right(the end time). Example March 24th - March 27th.\\r\\n\\r\\n*Note; The GeoLocation + Data can take a long time to refresh.*\\r\\n\\r\\nYou should now be able to see data we filtered down to, with it based on GeoLocation/Signature ID's\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Premium Diagnostic settings enabled, specifically requires IDPS Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Investigation page has the following features.\\r\\n\\r\\n*Note, this is a combination of all the logs within the Azure Firewall workbook. Some logs are from the Azure Firewall Premium sku*\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- IFQDN Traffic by Count*\\r\\n- SourceIP Address*\\r\\n- SourceIPAddress Resource Lookup (Azure Resource Graph)\\r\\n- FQDN Lookup logs\\r\\n- Azure Firewall Threat Intel\\r\\n- Azure Firewall Premium with GeoLocation- IDPS\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nThis is the page where we narrow down everything, You should considering adding your own twist based on your own investigations to this page. Leverage this as a template of where to start and how to move forward.\\r\\n\\r\\nStarting out we see FQDN and IP Address are the page's first filters offered.\\r\\n\\r\\nLooking at source count, you might see something that has a large count. Like the following example \\\"watson.telemetry.microsoft.com\\\". Click on the \\\"Deny\\\"/'Count' line to use the filter feature for the whole page.\\r\\n\\r\\nThis narrowed down our large list of client (SourceIP) address to a smaller list, which could be used to find out which client is being the loudest or maybe something that sneaked in that wasn't suppose to be talking to this FQDN in the first place. Click on an IPAddress(SourceIP). \\r\\n\\r\\nAzure Resource Graph is then used to find which machine this is, which Azure Resource NIC, Public IP address, Subnet, etc.\\r\\n\\r\\nUse the other data sets to help see the logs you've filtered based on the FQDN + IPAddress above. \\r\\n\\r\\n*Note, FQDN isn't required for the Azure Resource Graph lookup.*\\r\\n\\r\\nSome log sources might be blank, that's perfectly acceptable in this scenario as we're filtering down to alerts and events.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- All Azure Firewall Diagnostic Logs\\r\\n- RBAC Permissions for Azure Resource Graph lookup.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"text - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Get-Help\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall - overview\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"Main title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| extend Tier = trim(' ', tostring(properties.sku.tier))\\r\\n| extend Status = trim(' ', tostring(iif(isempty(properties.ipConfigurations.[0].properties.provisioningState), properties.provisioningState, properties.ipConfigurations.[0].properties.provisioningState)))\\r\\n| extend Premium = iff(Tier == \\\"Premium\\\", \\\"Yes\\\", \\\"No\\\")\\r\\n| extend Standard = iff(Tier == \\\"Standard\\\", \\\"Yes\\\", \\\"No\\\")\\r\\n| extend ProvisionedState = iff(Status == \\\"Succeeded\\\", \\\"Running\\\", \\\"Not Running\\\")\\r\\n| extend Policy = trim(' ', tostring(properties.firewallPolicy.id))\\r\\n| extend ApplicationRule1 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\\r\\n| extend ApplicationRule2 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\\r\\n| extend ApplicationRule3 = iff(ApplicationRule1 == \\\"\\\", \\\"N/A\\\", \\\"\\\")\\r\\n| extend ApplicationRule4 = iff(ApplicationRule2 contains \\\"subscription\\\", \\\"Configured\\\", \\\"\\\")\\r\\n| extend ApplicationRuleClassic = strcat(ApplicationRule3, ApplicationRule4)\\r\\n| extend NetworkRule1 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\\r\\n| extend NetworkRule2 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\\r\\n| extend NetworkRule3 = iff(NetworkRule1 == \\\"\\\", \\\"N/A\\\", \\\"\\\")\\r\\n| extend NetworkRule4 = iff(NetworkRule1 contains \\\"subscription\\\", \\\"Configured\\\", \\\"\\\")\\r\\n| extend NetworkRuleClassic = strcat(NetworkRule3, NetworkRule4)\\r\\n| project Firewall=id, Premium, Standard, ProvisionedState,FirewallPolicy= Policy, ApplicationRuleClassic, NetworkRuleClassic, location, resourceGroup, subscriptionId, tenantId\",\"size\":1,\"title\":\"Azure Firewall Resource List\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"value::selected\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Premium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Yes\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"No\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Standard\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Yes\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"No\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProvisionedState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Running\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Running\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ApplicationRuleClassic\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NetworkRuleClassic\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"FirewallResources\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"100\",\"name\":\"query - 60\",\"styleSettings\":{\"margin\":\"0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\" \\r\\n| summarize Volume=count() by bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events, by time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\" \\r\\n| summarize Volume=count() by Resource, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events, by firewall over time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"TopEvent\",\"exportDefaultValue\":\"{\\\"Resource\\\":\\\"*\\\",\\\"ResourceGroup\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"amount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Firewall per Resource Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Events, by category: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Events by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by OperationName, bin(TimeGenerated, {TimeRange:grain})\\r\\n | project Category=OperationName, Volume, TimeGenerated\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | summarize Volume=count() by OperationName, bin(TimeGenerated, {TimeRange:grain})\\r\\n | project Category=OperationName, Volume, TimeGenerated\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by Category, bin(TimeGenerated, {TimeRange:grain})\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Events categories, by time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Events categories by time\"},{\"type\":1,\"content\":{\"json\":\"### Firewall Metrics\\r\\nThe data below dosen't read from the Log Analytics workpsace, it's reading directly from the resources which requires resource visibility. \\r\\nClick [here for more information on Azure Metrics](https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-metrics)\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"text - 39\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":1209600000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":2000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":1209600000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--SNATPortUtilization\",\"aggregation\":4}],\"title\":\"SNAT Port Utilization\",\"gridSettings\":{\"rowLimit\":2000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":1209600000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--NetworkRuleHit\",\"aggregation\":1}],\"title\":\"Network Rule Hitcount (SUM)\",\"gridSettings\":{\"rowLimit\":2000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy - Copy\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":1209600000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--ApplicationRuleHit\",\"aggregation\":1}],\"title\":\"Application Rule Hitcount (SUM)\",\"gridSettings\":{\"rowLimit\":2000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n# Azure Firewall - Application rule log statistics\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| summarize Amount=count() by SourceIP\\r\\n| join kind = inner\\r\\n( union (\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n | make-series Trend = count() default = 0 on bin(TimeGenerated, {TimeRange:grain}) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP) on SourceIP\\r\\n | project-away SourceIP1, TimeGenerated\\r\\n | top 10 by Amount\\r\\n | sort by Amount\\r\\n\",\"size\":1,\"title\":\"Unique Source IP addresses, filterable by SelectedSourceIP: Query Time ({$queryTime})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SelectedSourceIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Amount\",\"formatter\":12,\"formatOptions\":{\"showIcon\":true}},\"subtitleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"title\":\"Application Rule Usage : Query Time ({$queryTime})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 36\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize count() by FQDN, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Denied FQDN's over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denied FQDN's by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"sortBy\":[{\"itemKey\":\"$gen_heatmap_count__1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_count__1\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n) \\r\\n| where Action == \\\"Allow\\\"\\r\\n| summarize count() by FQDN, bin(TimeGenerated,{TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Allowed FQDN's over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where Action == \\\"Allow\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Allowed FQDN's by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Allow\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Allowed Web Categories over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Allow\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\"\\r\\n| summarize count() by WebCategory\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"title\":\"Allowed Web Categories by count\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]},\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Web Categories over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\"\\r\\n| summarize count() by WebCategory\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denied Web Catgories by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \\\"*\\\" \\r\\n| summarize by TimeGenerated, FQDN, Protocol, Action, SourceIP, SourcePort, DestinationPort , ResourceId , ResourceGroup , RuleCollection, Rule, WebCategory, SubscriptionId\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"All IP addresses events: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"query - 9\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n# Azure Firewall - Network rule log statistics\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| summarize count() by Action\",\"size\":3,\"title\":\"Rule actions, filterable by RuleAction\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"RuleAction\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| summarize Count=count() by DestinationPort\",\"size\":3,\"title\":\"Target ports, filterable by TargetPort\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"DestinationPort\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where Action == \\\"DNAT'ed\\\"\\r\\n| summarize Amount=count() by NatDestination\\r\\n\",\"size\":3,\"title\":\"DNAT actions, filterable by NatDestination\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"NatDestination\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nlet materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| project DestinationIP\\r\\n| evaluate ipv4_lookup (geoData, DestinationIP, network, false)\\r\\n| summarize count() by continent_name\\r\\n\",\"size\":2,\"title\":\"GeoLocation\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"netcontinent\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 61\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\"\\r\\n| summarize amount = count() by Action , SourceIP\\r\\n| sort by amount desc\",\"size\":0,\"title\":\"Rule actions, by IP addresses\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Action\",\"formatter\":5},{\"columnMatch\":\"amount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"eventCount\",\"formatter\":3,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":2000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Action\"],\"expandTopLevel\":false,\"finalBy\":\"Action\"}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\" \\r\\n| summarize AMOUNT=count() by DestinationPort, SourceIP\\r\\n| sort by AMOUNT desc\",\"size\":0,\"title\":\"Target ports, by Source IP: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DestinationPort\",\"formatter\":5},{\"columnMatch\":\"AMOUNT\",\"formatter\":3,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"rowLimit\":2000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"DestinationPort\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where Action == \\\"DNAT'ed\\\"\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\"\\r\\n| summarize Amount=count() by NatDestination, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"DNAT'ed over time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nlet materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\"\\r\\n| project DestinationIP, TimeGenerated\\r\\n| evaluate ipv4_lookup (geoData, DestinationIP, network, false)\\r\\n| summarize Amount=count() by continent_name, bin(TimeGenerated, {TimeRange:grain})\\r\\n\\r\\n\",\"size\":0,\"title\":\"GeoLocation over time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 13 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\"\\r\\n| summarize count() by Action, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Actions, by time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"ActionsByTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nlet materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\n// Azure Firewall Networking - Standard Log\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Type=\\\" and msg_s !has \\\"DNAT'ed\\\" and msg_s !has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking with ICMP\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Type=\\\"\\r\\n| parse msg_s with Protocol \\\" Type=\\\" ICMPType \\\" request from \\\" SourceIP \\\" to \\\" DestinationIP \\\". Action: \\\" Action\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule - Standard\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s !has \\\". Rule Collection:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Networking DNAT rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"DNAT'ed\\\" and msg_s has \\\". Rule Collection:\\\" and msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\" was \\\" Action \\\" to \\\" NatDestination \\\". Policy: \\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall not using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Rule Collection:\\\" and msg_s !has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n),\\r\\n(\\r\\n// Azure Firewall Network rule (firewall using policy)\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Policy:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestinationIP \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule Name: \\\" Rule\\r\\n)\\r\\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \\\"*\\\"\\r\\n| where \\\"{RuleAction}\\\" == Action or \\\"{RuleAction}\\\" == \\\"*\\\"\\r\\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \\\"*\\\"\\r\\n| summarize by TimeGenerated,Protocol, ICMPType, Action,SourceIP, SourcePort, DestinationIP , DestinationPort , NatDestination, ResourceId , ResourceGroup , SubscriptionId\\r\\n| evaluate ipv4_lookup (geoData, DestinationIP, network, false)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"All IP addresses events with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"ActionsByTimeBrush\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"query - 22\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall -DNS Proxy\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"text - 41\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project Resource, TimeGenerated\\r\\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"DNSProxy Traffic by count per Firewall: Query Time({$queryTime}) \",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"query - 30 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize count() by Request_Name\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"DNSProxy count by Request Name, filterable by Request_Name\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"DNSTimeBrush\",\"exportFieldName\":\"Request_Name\",\"exportParameterName\":\"DNSRequestName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"25\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"DNSProxy Request count by ClientIP, filterable by ClientIP\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"DNSTimeBrush\",\"exportFieldName\":\"ClientIP\",\"exportParameterName\":\"DNSClientIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"25\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| where '{DNSClientIP}' == ClientIP or '{DNSClientIP}' == \\\"*\\\"\\r\\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \\\"*\\\"\\r\\n| summarize count() by ClientIP, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"DNS Proxy Request over time by ClientIP\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"50\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| where '{DNSClientIP}' == ClientIP or '{DNSClientIP}' == \\\"*\\\"\\r\\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \\\"*\\\"\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Proxy Information: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"query - 30\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall Premium - IDPS\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"text - 42\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| summarize count() by Action\",\"size\":2,\"title\":\"IDPS Actions Count, filterable by Action\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSAction\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 44\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| summarize count() by Protocol\",\"size\":2,\"title\":\"IDPS Protocol Count, filterable by Protocol\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSProtocol\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| summarize count() by SignatureID\\r\\n\",\"size\":2,\"title\":\"IDPS SignatureID Count, filterable by SignatureID\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSSignatureID\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| summarize count() by SourceIP, DestIP\\r\\n| sort by count_ desc\",\"size\":2,\"title\":\"IDPS SourceIP Count, filterable by SourceIP\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSSourceIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIP\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| summarize count() by Action\",\"size\":0,\"title\":\"Filtered IDPS Actions by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 44 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| summarize count() by Protocol\",\"size\":0,\"title\":\"Filtered IDPS Protocols by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| summarize count() by SignatureID\",\"size\":0,\"title\":\"Filtered IDPS SignatureIDs by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| summarize Volume=count() by DestIP, SourceIP\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Filtered SourceIP, filterable by DestIP\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DestIP\",\"exportParameterName\":\"IDSIPSDestIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":5},{\"columnMatch\":\"Volume\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIP\"],\"expandTopLevel\":false}},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Volume\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message, Resource\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| where '{IDSIPSDestIP}' == DestIP or '{IDSIPSDestIP}' == \\\"*\\\"\\r\\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Azure Firewall IDPS count over time\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"AFIDSIPSBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIP\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"query - 45\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| project TimeGenerated, SignatureID, Message, Priority, Classification, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, Resource\\r\\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \\\"*\\\"\\r\\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \\\"*\\\"\\r\\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \\\"*\\\"\\r\\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \\\"*\\\"\\r\\n| where '{IDSIPSDestIP}' == DestIP or '{IDSIPSDestIP}' == \\\"*\\\"\\r\\n| evaluate ipv4_lookup (geoData, DestIP, network, false)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall IDPS logs with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"AFIDSIPSBrush\",\"timeBrushParameterName\":\"AFIDSIPSBrush\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\",\"country_name\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"query - 45 - Copy\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall - Investigation\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"text - 43\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| summarize count() by FQDN, Action\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"FQDN Traffic by Count, filterable by FQDN: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"FQDN\",\"exportParameterName\":\"FullName\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"minimumIntegerDigits\":1,\"maximumFractionDigits\":1,\"maximumSignificantDigits\":4}}}],\"rowLimit\":2000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"FQDN\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"35\",\"name\":\"query - 29 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where SourceIP <> \\\"\\\"\\r\\n| where FQDN == \\\"{FullName:label}\\\" or '{FullName}' == \\\"*\\\"\\r\\n| summarize count() by SourceIP, SubscriptionId\\r\\n| sort by count_\",\"size\":0,\"title\":\"SourceIP Address, filterable: Query Time({$queryTime})\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"SourceIP\",\"parameterName\":\"InvestigateIP\",\"parameterType\":1,\"defaultValue\":\"privateIPAddress\"},{\"fieldName\":\"SourceIP\",\"parameterName\":\"InvestigateIPWC\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"SubscriptionId\",\"parameterName\":\"SelectedSubscriptionId\",\"parameterType\":1,\"defaultValue\":\"-\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SubscriptionId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"15\",\"name\":\"query - 33\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type =~ 'microsoft.network/networkinterfaces'\\r\\n| where properties contains \\\"{InvestigateIP}\\\"\\r\\n| extend NSG = properties['networkSecurityGroup']['id']\\r\\n| parse NSG with \\\"/subscriptions/\\\" NetworkSecurityGroup_Sub \\\"/resourceGroups/\\\" NetworkSecurityGroup_rg \\\"/providers/Microsoft.Network/networkSecurityGroups/\\\" NetworkSecurityGroup_Name\\r\\n| project id, PrivateIPAddress = tostring(properties['ipConfigurations'][0]['properties']['privateIPAddress']), PublicIPAddress = tostring(properties['ipConfigurations'][0]['properties']['publicIPAddress']['id']), VirtualMachine = tostring(properties['virtualMachine']['id']), subnet = tostring(properties['ipConfigurations'][0]['properties']['subnet']['id']), NetworkSecurityGroup = NetworkSecurityGroup_Name, properties, subscriptionId, tenantId\",\"size\":0,\"title\":\"SourceIPAddress Resource Lookup: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"exportFieldName\":\"id\",\"exportParameterName\":\"Testid\",\"exportDefaultValue\":\"*\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"value::selected\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"properties\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"50\",\"name\":\"query - 33 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s has \\\". No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\"TLS extension was missing\\\"\\r\\n| where msg_s has \\\" Reason:\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"TLS extension was missing\\\" and msg_s !has \\\"No rule matched\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\" and msg_s !has \\\"Rule Collection\\\" and msg_s !has \\\" Reason: \\\"\\r\\n| where msg_s has \\\"Rule Collection Group\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n)\\r\\n| where SourceIP == \\\"{InvestigateIPWC:label}\\\" or '{InvestigateIPWC}' == \\\"*\\\"\\r\\n| where FQDN == \\\"{FullName:label}\\\" or '{FullName}' == \\\"*\\\"\\r\\n| summarize by TimeGenerated, FQDN, Protocol, Action, SourceIP, SourcePort, DestinationPort , ResourceId , ResourceGroup , RuleCollection, Rule, WebCategory, SubscriptionId\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"FQDN Lookup logs: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"100\",\"name\":\"query - 33\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where msg_s contains \\\"{InvestigateIPWC:label}\\\" or '{InvestigateIPWC}' == \\\"*\\\"\\r\\n| where msg_s <> \\\" request from to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by TimeGenerated, Protocol, SourceIP, SourcePort, FQDN, DestinationPort, Url, Action, ThreatIntelMsg\",\"size\":0,\"title\":\"Azure Firewall Threat Intel: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There is no Azure Firewall Threat Intel for your filtered results\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where msg_s contains \\\"{InvestigateIPWC:label}\\\" or '{InvestigateIPWC}' == \\\"*\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" DestIP \\\":\\\" DestPort \\\". Action: \\\" Action \\\". Signature: \\\" SignatureID \\\". IDS:\\\" Message \\\". Priority:\\\" Priority \\\". Classification:\\\" Classification\\r\\n| summarize by TimeGenerated, SignatureID, Message, Priority, Classification, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, Resource\\r\\n| evaluate ipv4_lookup (geoData, DestIP, network, false)\\r\\n\",\"size\":0,\"title\":\"Azure Firewall Premium with GeoLocation- IDPS: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"Message\",\"formatter\":5},{\"columnMatch\":\"country_name\",\"formatter\":5},{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Message\",\"country_name\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"query - 58\"}],\"fallbackResourceIds\":[\"Azure Monitor\"],\"fromTemplateId\":\"sentinel-AzureFirewall\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
"description": "@{workbookKey=AzureFirewallWorkbook; logoFileName=AzFirewalls.svg; description=Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.3.0; title=Azure Firewall; templateRelativePath=AzureFirewallWorkbook.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
"version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"contentId": "AzureDiagnostics",
"kind": "DataType"
},
{
"contentId": "AzureFirewall",
"kind": "DataConnector"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_workbookContentId1')]",
"contentKind": "Workbook",
"displayName": "[parameters('workbook1-name')]",
"contentProductId": "[variables('_workbookcontentProductId1')]",
"id": "[variables('_workbookcontentProductId1')]",
"version": "[variables('workbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewallWorkbook-StructuredLogs Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/workbooks",
"name": "[variables('workbookContentId2')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces."
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure Firewall Workbook\\r\\n---\\r\\n\"},\"name\":\"text - 23\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20847ce8-91bc-4d8b-b878-a5a41c95c31c\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall Overview\",\"subTarget\":\"AFOverview\",\"preText\":\"Azure Firewall Overview\",\"style\":\"link\"},{\"id\":\"f564709d-1658-46a1-8b44-892210e13017\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Application rule log statistics\",\"subTarget\":\"AFAppRule\",\"style\":\"link\"},{\"id\":\"1f6661e2-f873-4d56-879d-4d085d8cf1d4\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Network rule log statistics\",\"subTarget\":\"AFNetRule\",\"style\":\"link\"},{\"id\":\"ef1548c5-ef55-4eaa-8a81-b049cb93b56c\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - DNS Proxy\",\"subTarget\":\"AFDNSProxy\",\"style\":\"link\"},{\"id\":\"18a4a585-2176-4d9f-907c-8e8d5f984efa\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall Premium - IDPS\",\"subTarget\":\"AFIDSIPS\",\"style\":\"link\"},{\"id\":\"97dc7364-961d-4c19-a730-7b9024f46b91\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Azure Firewall - Investigation\",\"subTarget\":\"AFInvestigate\",\"style\":\"link\"}]},\"name\":\"links - 24\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ab7d6c51-d7df-436c-96a2-429163aa50ec\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":false}},{\"id\":\"add90eb3-ff5f-4b19-9658-ff15c8043af5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspaces\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id, name\\r\\n| order by name desc\",\"crossComponentResources\":[\"value::selected\"],\"value\":[\"value::100\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::100\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"value::selected\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"13d9f6e9-9290-4b1e-b0d0-a7c0ebdc1aed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"description\":\"This will show some help information to help you understand the page you are on\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"Change Log\\\", \\\"label\\\": \\\"Change Log\\\"}\\r\\n]\"},{\"id\":\"68f2cb32-03d4-4307-8eb5-1f66dfc09a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirewallResources\",\"label\":\"Show Resources\",\"type\":2,\"description\":\"The is only used on the Overview page.\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\" }\\r\\n]\",\"value\":\"No\"},{\"id\":\"53aa8daf-29de-40a1-9147-c0970e32fac4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GeoLocation\",\"label\":\"GeoLocationCSV\",\"type\":2,\"description\":\"Supplied as a value for GeoLocation lookup on queries: Read more here - https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin#ipv4-lookup---matching-rows-only\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"\\r\\n[\\r\\n{\\r\\n\\\"value\\\": \\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\", \\\"label\\\": \\\"GeoLocationDefault\\\", \\\"selected\\\": \\\"true\\\" \\r\\n}\\r\\n]\\r\\n\\r\\n\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Overview - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|v1.0\\t|Initial Version|\\r\\n|V1.1.0\\t|Split up the data sets, Overview, Application Rule Logs, Network Rule Logs, DNS Proxy Logs. Added in Investigation visibility with Azure Firewall + Azure Graph. Added in visibility to multiple workspaces and filtering to Firewall resources. |\\r\\n|V1.2.0 | Added new filteres, \\\"Show Help\\\", \\\"Show Resources\\\", \\\"GeoLocationCSV\\\", Updated query parsing to the Overview queries. Improved overall performance in large data scale performance with new parsing requirements.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"}],\"name\":\"text - 40\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - App Rules - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|v1.0.0 | Initial Version\\r\\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added Web Category.\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"}],\"name\":\"text - 63\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - Network Rule - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.0.0 | Initial Version\\r\\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added in GeoLocation queries, updated main query to use GeoLocation data.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"}],\"name\":\"text - 64\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall - DNSProxy - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.1.0 | Initial Version\\r\\n|V1.2.0 | No modifications were made\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"}],\"name\":\"text - 65\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall Prem - IDPS - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.2.0 | Initial Version\"},\"conditionalVisibilities\":[{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"}],\"name\":\"text - 66\"},{\"type\":1,\"content\":{\"json\":\"### Azure Firewall Prem - IDPS - Change Log\\r\\n|Version|Description|\\r\\n|---|---|\\r\\n|V1.0.0 | Initial Version\\r\\n|V1.2.0 | Added IDPS Logs to the investgation experience, Added in GeoLocation infromation. Updated the KQL logic to be faster for large data volume.\"},\"conditionalVisibilities\":[{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Change Log\"},{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"}],\"name\":\"text - 67\"}]},\"name\":\"ChangeLogGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Overview page has the following features.\\r\\n\\r\\n- All Firewall Data Log Analytics Volume (Total)\\r\\n- All Firewall Data Log Analytics Volume (Per Firewall)\\r\\n- All Firewall Event Categories\\r\\n- All Firewall Event Categories over time\\r\\n- Azure Firewall Metrics data\\r\\n - Traffic\\r\\n - SNAT Port\\r\\n - Network Rule Count\\r\\n - Application Rule Count\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nStart by looking at the workbook filters, examples would be TimeRange, Workspace, Azure Firewall. Note these are filtered based on your azure portal settings of \\\"Default subscription filter\\\". Selecting more resources or more workspaces has an impact on speed of results depending on the data volume of your workspaces. Why TimeRange is a large factor when looking at looking at extremely large data sets of volume(example over 1 Billion logs) so multiple filters have been offered to finetune the results without having to build your own queries.\\r\\n\\r\\nIf this is your first time looking at this workbook, my suggestion is to use 14 days(this is the fastest cached data in Log Analytics), a single workspace, a single firewall, if you're wanting to see the results of one firewall. Best to know where your firewall is sending it's logs too to confirm you didn't select a workspace that doesn't have that firewalls data. How to check, go to the Azure Firewall, click Diagnostic settings, see what Log Analytics workspace is currently configured.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, and sending to workspace your azure ad user had RBAC permissions to. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\\r\\n- Azure Metrics requires resource permissions of the Firewall you're wanting data on. \"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"text - 59\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Application rule log statistics page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- Unique Source IP Address*\\r\\n- Application Rule Usage\\r\\n- Denied/Allowed FQDN over time\\r\\n- Denied/Allowed FQDN count\\r\\n- Denied/Allowed Web Categories over time\\r\\n- Denied/Allowed Web Categories count\\r\\n- Pre-parsed Azure Firewall Application Rule Logs with a search feature.\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see the unique source of IP addresses based on the global filters you have in place, this is showing only the top 10 IPAddresses, you can modify the KQL query to show more if needed if you click the \\\"Edit\\\" button. We added in the logic to show the volume over time, under the IP address/count information. If you click on the highest count (my example is 415,786 count, 10.0.24.4 ipaddress) it'll filter everything on the Application rule log statistic page to this IP address specifically. (Only Exception is the Rule Usage). Note this could cause other data sets to become blank as a result, sometimes you only have Approved or Denied access based on the configuration of the firewall.\\r\\n\\r\\nIf you're wanting to search for something a little more specific other than IPAddress filter, you can use the \\\"Search\\\" bar under the \\\"All IP Address events\\\" query to create a custom filter to the parsed logs. Example could be an FQDN \\\"wdcp.microsoft.com\\\" to pull up those logs specifically with that name in it.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires Application Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Network rule log statistics page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- Rule Actions*\\r\\n\\r\\n- Target Ports*\\r\\n\\r\\n- DNAT Actions*\\r\\n\\r\\n- GeoLocation\\r\\n\\r\\n- Actions over time(Time scrub enabled)\\r\\n\\r\\n- Pre-parsed Network Rule data with GeoLocation added\\r\\n\\r\\n *Note: GeoLocation is using an public file, you have to modify your GeoLocation Global Filter tab to add your own data.*\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll get see pie charts on the screen, each of these can be clicked on to filter the data below. You'll have to click on the color of the wheel in order to use the filter feature. Downfall of this, if it's an extremely small data set, its hard to click on that color due to the challenge of even seeing it. These filters are a top down approach, meaning what clicked on top, filters below. If you'd like, feel free to test this out now. Under \\\"Target Ports, filterable by Target Port\\\" find port 53 ( pretty common port). Click on the wheel with the color that's associated to port 53. You'll see everything change below only showing data that has port 53 associated to it. If you'd like to remove this filter you have a few options. \\r\\n\\r\\n1. Click the \\\"Go back\\\" at the top right of the wheel\\r\\n2. Refresh the whole workbook\\r\\n3. Refresh the whole browser window\\r\\n\\r\\n*A note about the new feature added \\\"GeoLocation\\\", this is public data shared through the Log Analytics developer team to show the feature to associate IP addresses with a GeoLocation file. This had been added to the workbook to show you what's possible, it's encouraged for you to use your own data which could be further enriched. If you had Lat/Long data, you could even add in a map feature into this workbook to show you where the traffic is mostly.*\\r\\n\\r\\nMid-way down the page you'll see the \\\"Actions, by time\\\", if we saw a large spike and wanted to lower the window of traffic, select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th. When i was looking over 14 days of time. This will filter the \\\"All IP Addresses events\\\" down to this new time window.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires Network Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - DNS Proxy page has the following features.\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- DNS Traffic by count (Time scrub enabled)\\r\\n- DNS Proxy by Request Name, by Count*\\r\\n- DNS Proxy Request by ClientIP, by Count*\\r\\n- Count over time of Proxy Requests by ClientIP\\r\\n- Pre-parsed DNS Proxy data\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see the DNS Proxy traffic count, this is a great way to start to narrow down the proxy traffic over a period of time. Example we're looking at the 14 day window, but there was an odd spike or dip in proxy traffic, why? use the time scrub feature to select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th.\\r\\n\\r\\nAfter adding our second time filter to the page, move forward to looking at the DNS requests. You might see a large spike in a specific DNS request, could be something you're not even familiar with. Using an example, i see a DNS request for \\\"strcat('md-fpp31tsvhx4s.blob.core.', 'windows.', '.net')\\\"for 300K times in my current filters. By selecting this Request Name, it'll filter on the right showing me which clients are requesting this DNS traffic. Which after clicking on my request, i see 2 different IP addresses now. Oddly though, one is much smaller than the other. Lets select that Ip address to add an additional filter to the logs. Now we can see the logs related to that machine client ip, specifically around that DNS request name. This might help you narrow down if there are any actions that need to be taken on your firewall.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Diagnostic settings enabled, specifically requires DNS Proxy Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall Premium- IDPS page has the following features.\\r\\n\\r\\n*As noted on the title, these logs are only created on the Azure Firewall Premium sku*\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- IDPS Actions Count*\\r\\n- IDPS Protocol Count*\\r\\n- IDPS SignatureID Count*\\r\\n- IDPS SourceIP Count*\\r\\n- Azure Firewall IDPS count over time (Time Scrub Enabled)\\r\\n- Azure Firewall IDPS logs with GeoLocation\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nStarting out you'll see Pie Charts offering multiple filtering options to your IDPS logs, showing Alerts, Protocols, SignatureIDs and Sources of the logs. Lets start by selecting an ClientIP address(SourceIP) under the \\\"IDPS SourceIP Count, filterable by SourceIP\\\". I clicked on the largest one, you might of noticed most of the traffic under the IDPS logs are alerts, Mostly TCP to this ClientIP address and there could be some specific SignatureID's are being triggered. Looking further into the logs, you should expand the Source IP to see the different IP Addresses this client has talked to within the past 14 days(current global filter). The majority of the traffic is going to XX.XX.XX.XX, which is something to remember.\\r\\n\\r\\nGoing further down, you might noticed a spike in traffic, lets use the time scrub feature to narrow down the time window to that spike. Start by selecting on the left side(where you're wanting to start time to be, before the event occurred) drag, and move it over to the right(the end time). Example March 24th - March 27th.\\r\\n\\r\\n*Note; The GeoLocation + Data can take a long time to refresh.*\\r\\n\\r\\nYou should now be able to see data we filtered down to, with it based on GeoLocation/Signature ID's\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- Azure Firewall Premium Diagnostic settings enabled, specifically requires IDPS Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"##### What's on this page?\\r\\n\\r\\nThe Azure Firewall - Investigation page has the following features.\\r\\n\\r\\n*Note, this is a combination of all the logs within the Azure Firewall workbook. Some logs are from the Azure Firewall Premium sku*\\r\\n\\r\\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\\r\\n\\r\\n- IFQDN Traffic by Count*\\r\\n- SourceIP Address*\\r\\n- SourceIPAddress Resource Lookup (Azure Resource Graph)\\r\\n- FQDN Lookup logs\\r\\n- Azure Firewall Threat Intel\\r\\n- Azure Firewall Premium with GeoLocation- IDPS\\r\\n\\r\\n##### How to use this page?\\r\\n\\r\\nIf you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\\r\\n\\r\\nThis is the page where we narrow down everything, You should considering adding your own twist based on your own investigations to this page. Leverage this as a template of where to start and how to move forward.\\r\\n\\r\\nStarting out we see FQDN and IP Address are the page's first filters offered.\\r\\n\\r\\nLooking at source count, you might see something that has a large count. Like the following example \\\"watson.telemetry.microsoft.com\\\". Click on the \\\"Deny\\\"/'Count' line to use the filter feature for the whole page.\\r\\n\\r\\nThis narrowed down our large list of client (SourceIP) address to a smaller list, which could be used to find out which client is being the loudest or maybe something that sneaked in that wasn't suppose to be talking to this FQDN in the first place. Click on an IPAddress(SourceIP). \\r\\n\\r\\nAzure Resource Graph is then used to find which machine this is, which Azure Resource NIC, Public IP address, Subnet, etc.\\r\\n\\r\\nUse the other data sets to help see the logs you've filtered based on the FQDN + IPAddress above. \\r\\n\\r\\n*Note, FQDN isn't required for the Azure Resource Graph lookup.*\\r\\n\\r\\nSome log sources might be blank, that's perfectly acceptable in this scenario as we're filtering down to alerts and events.\\r\\n\\r\\n##### What's required for this workbook to function?\\r\\n\\r\\n- All Azure Firewall Diagnostic Logs\\r\\n- RBAC Permissions for Azure Resource Graph lookup.\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"text - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Get-Help\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall - overview\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"Main title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| extend Tier = trim(' ', tostring(properties.sku.tier))\\r\\n| extend Status = trim(' ', tostring(iif(isempty(properties.ipConfigurations.[0].properties.provisioningState),properties.provisioningState,properties.ipConfigurations.[0].properties.provisioningState)))\\r\\n| extend Premium = iff(Tier == \\\"Premium\\\", \\\"Yes\\\", \\\"No\\\")\\r\\n| extend Standard = iff(Tier == \\\"Standard\\\", \\\"Yes\\\", \\\"No\\\")\\r\\n| extend ProvisionedState = iff(Status == \\\"Succeeded\\\", \\\"Running\\\", \\\"Not Running\\\")\\r\\n| extend Policy = trim(' ', tostring(properties.firewallPolicy.id))\\r\\n| extend ApplicationRule1 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\\r\\n| extend ApplicationRule2 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\\r\\n| extend ApplicationRule3 = iff(ApplicationRule1 == \\\"\\\", \\\"N/A\\\", \\\"\\\")\\r\\n| extend ApplicationRule4 = iff(ApplicationRule2 contains \\\"subscription\\\", \\\"Configured\\\", \\\"\\\")\\r\\n| extend ApplicationRuleClassic = strcat(ApplicationRule3, ApplicationRule4)\\r\\n| extend NetworkRule1 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\\r\\n| extend NetworkRule2 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\\r\\n| extend NetworkRule3 = iff(NetworkRule1 == \\\"\\\", \\\"N/A\\\", \\\"\\\")\\r\\n| extend NetworkRule4 = iff(NetworkRule1 contains \\\"subscription\\\", \\\"Configured\\\", \\\"\\\")\\r\\n| extend NetworkRuleClassic = strcat(NetworkRule3, NetworkRule4)\\r\\n| project Firewall=id, Premium, Standard, ProvisionedState,FirewallPolicy= Policy, ApplicationRuleClassic, NetworkRuleClassic, location, resourceGroup, subscriptionId, tenantId\",\"size\":1,\"title\":\"Azure Firewall Resource List\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"value::selected\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Premium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Yes\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"No\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Standard\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Yes\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"No\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProvisionedState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Running\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Running\",\"representation\":\"grayBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ApplicationRuleClassic\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NetworkRuleClassic\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"FirewallResources\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"100\",\"name\":\"query - 60\",\"styleSettings\":{\"margin\":\"0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| union AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature, AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Volume=count() by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Events, by time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| union AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature, AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Volume=count() by Resource, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Events, by firewall over time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"TopEvent\",\"exportDefaultValue\":\"{\\\"Resource\\\":\\\"*\\\",\\\"ResourceGroup\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Resource\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"amount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Firewall per Resource Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| union AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature, AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Volume=count() by Type\\r\\n| project Category=Type, Volume\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Events, by category: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Events by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| union AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature, AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Volume=count() by Type, bin(TimeGenerated, {TimeRange:grain})\\r\\n| project Category=Type, Volume, TimeGenerated\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Events categories, by time: Query Time({$queryTime})\",\"noDataMessage\":\"There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"25\",\"name\":\"Events categories by time\"},{\"type\":1,\"content\":{\"json\":\"### Firewall Metrics\\r\\nThe data below dosen't read from the Log Analytics workpsace, it's reading directly from the resources which requires resource visibility. \\r\\nClick [here for more information on Azure Metrics](https://docs.microsoft.com/azure/azure-monitor/platform/data-platform-metrics)\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"name\":\"text - 39\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":86400000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":86400000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--SNATPortUtilization\",\"aggregation\":4}],\"title\":\"SNAT Port Utilization\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":86400000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--NetworkRuleHit\",\"aggregation\":1}],\"title\":\"Network Rule Hitcount (SUM)\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy - Copy\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":86400000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--ApplicationRuleHit\",\"aggregation\":1}],\"title\":\"Application Rule Hitcount (SUM)\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFOverview\"},\"customWidth\":\"50\",\"name\":\"metric - 25 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n# Azure Firewall - Application rule log statistics\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Amount=count() by SourceIp, bin(TimeGenerated,{TimeRange:grain})\\r\\n| top 10 by Amount\\r\\n| sort by Amount\",\"size\":1,\"title\":\"Unique Source IP addresses, filterable by SelectedSourceIP: Query Time ({$queryTime})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SelectedSourceIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Amount\",\"formatter\":12,\"formatOptions\":{\"showIcon\":true}},\"subtitleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where RuleCollection matches regex \\\".*\\\" \\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"title\":\"Application Rule Usage : Query Time ({$queryTime})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 36\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where Action == \\\"Deny\\\"\\r\\n| summarize count() by Fqdn, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Denied FQDN's over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where Action == \\\"Deny\\\"\\r\\n| summarize count () by Fqdn\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denied FQDN's by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"sortBy\":[{\"itemKey\":\"$gen_heatmap_count__1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_count__1\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| where Action == \\\"Allow\\\"\\r\\n| summarize count() by Fqdn, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Allowed FQDN's over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| where Action == \\\"Allow\\\"\\r\\n| summarize count () by Fqdn\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Allowed FQDN's by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Allow\\\"\\r\\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Allowed Web Categories over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Allow\\\"\\r\\n| summarize count() by WebCategory\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Allowed Web Categories by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]},\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Denied Web Categories over time\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where isnotempty(WebCategory)\\r\\n| where Action == \\\"Deny\\\"\\r\\n| summarize count() by WebCategory\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denied Web Catgories by count\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize by TimeGenerated, Fqdn, Protocol, Action, SourceIp, SourcePort, DestinationPort , _ResourceId , RuleCollection, Rule, WebCategory\",\"size\":0,\"showAnalytics\":true,\"title\":\"All IP addresses events: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFAppRule\"},\"name\":\"query - 9\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n# Azure Firewall - Network rule log statistics\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Action\",\"size\":3,\"title\":\"Rule actions, filterable by RuleAction\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"RuleAction\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project DestinationPort = tostring(DestinationPort)\\r\\n| summarize count() by DestinationPort\",\"size\":3,\"title\":\"Target ports, filterable by TargetPort\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"DestinationPort\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNatRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Amount=count() by TranslatedIp\\r\\n\",\"size\":3,\"title\":\"DNAT actions, filterable by NatDestination\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"NatDestination\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project DestinationIp\\r\\n| evaluate ipv4_lookup (geoData, DestinationIp, network, false)\\r\\n| summarize count() by continent_name\\r\\n\",\"size\":2,\"title\":\"GeoLocation\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"netcontinent\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 61\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize amount = count() by Action , SourceIp\\r\\n| sort by amount desc\",\"size\":0,\"title\":\"Rule actions, by IP addresses\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Action\",\"formatter\":5},{\"columnMatch\":\"amount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"eventCount\",\"formatter\":3,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":2000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Action\"],\"expandTopLevel\":false,\"finalBy\":\"Action\"}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize AMOUNT=count() by DestinationPort, SourceIp\\r\\n| sort by AMOUNT desc\",\"size\":0,\"title\":\"Target ports, by Source IP: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DestinationPort\",\"formatter\":5},{\"columnMatch\":\"AMOUNT\",\"formatter\":3,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"rowLimit\":2000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"DestinationPort\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNatRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Amount=count() by TranslatedIp, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"DNAT'ed over time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project DestinationIp, TimeGenerated\\r\\n| evaluate ipv4_lookup (geoData, DestinationIp, network, false)\\r\\n| summarize Amount=count() by continent_name, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"GeoLocation over time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"customWidth\":\"25\",\"name\":\"query - 13 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Action, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Actions, by time\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"ActionsByTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAZFWNetworkRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize by TimeGenerated, Protocol, Action, SourceIp, SourcePort, DestinationIp , DestinationPort , _ResourceId\\r\\n| evaluate ipv4_lookup (geoData, DestinationIp, network, false)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"All IP addresses events with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"ActionsByTimeBrush\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFNetRule\"},\"name\":\"query - 22\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall -DNS Proxy\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"text - 41\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project Resource, TimeGenerated\\r\\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"DNSProxy Traffic by count per Firewall: Query Time({$queryTime}) \",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"query - 30 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by QueryName\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"DNSProxy count by Request Name, filterable by Request_Name\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"DNSTimeBrush\",\"exportFieldName\":\"Request_Name\",\"exportParameterName\":\"DNSRequestName\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"25\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by SourceIp\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"DNSProxy Request count by ClientIP, filterable by ClientIP\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"DNSTimeBrush\",\"exportFieldName\":\"ClientIP\",\"exportParameterName\":\"DNSClientIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"25\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by SourceIp, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"DNS Proxy Request over time by ClientIP\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"linechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"customWidth\":\"50\",\"name\":\"query - 30 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWDnsQuery\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize by TimeGenerated, _ResourceId, SourceIp, SourcePort, QueryId, QueryType, QueryClass, QueryName, Protocol, RequestSize, DnssecOkBit, EDNS0BufferSize, ResponseCode, ResponseFlags, ResponseSize, RequestDurationSecs, ErrorNumber, ErrorMessage, SourceSystem, Type\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Proxy Information: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/azure/firewall/\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"DNSTimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFDNSProxy\"},\"name\":\"query - 30\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall Premium - IDPS\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"text - 42\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Action\",\"size\":2,\"title\":\"IDPS Actions Count, filterable by Action\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"noDataMessageStyle\":2,\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSAction\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 44\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Protocol\",\"size\":2,\"title\":\"IDPS Protocol Count, filterable by Protocol\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSProtocol\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by SignatureId\",\"size\":2,\"title\":\"IDPS SignatureID Count, filterable by SignatureID\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSSignatureID\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by SourceIp, DestinationIp\\r\\n| sort by count_ desc\\r\\n\",\"size\":2,\"title\":\"IDPS SourceIP Count, filterable by SourceIP\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"IDSIPSSourceIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIP\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Action\",\"size\":0,\"title\":\"Filtered IDPS Actions by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 44 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by Protocol\",\"size\":0,\"title\":\"Filtered IDPS Protocols by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize count() by SignatureId\",\"size\":0,\"title\":\"Filtered IDPS SignatureIDs by Count\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize Volume=count() by DestinationIp, SourceIp\\r\\n| sort by Volume desc\",\"size\":0,\"title\":\"Filtered SourceIP, filterable by DestIP\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DestIP\",\"exportParameterName\":\"IDSIPSDestIP\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"Volume\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIp\"],\"expandTopLevel\":false}},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Volume\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"customWidth\":\"25\",\"name\":\"query - 45 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| project Resource, TimeGenerated\\r\\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Azure Firewall IDPS count over time\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"AFIDSIPSBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"SourceIP\"],\"expandTopLevel\":false}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"query - 45\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAZFWIdpsSignature\\r\\n| evaluate ipv4_lookup (geoData, DestinationIp, network, false)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall IDPS logs with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/azure/firewall/premium-features\",\"timeContextFromParameter\":\"AFIDSIPSBrush\",\"timeBrushParameterName\":\"AFIDSIPSBrush\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"continent_code\",\"country_name\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFIDSIPS\"},\"name\":\"query - 45 - Copy\"},{\"type\":1,\"content\":{\"json\":\"# Azure Firewall - Investigation\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"text - 43\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n//| where Action contains \\\"Deny\\\"\\r\\n| where isnotempty(Fqdn)\\r\\n| summarize count() by Fqdn, Action\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"FQDN Traffic by Count, filterable by FQDN: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"FQDN\",\"exportParameterName\":\"FullName\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"minimumIntegerDigits\":1,\"maximumFractionDigits\":1,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"FQDN\",\"formatter\":1}],\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"35\",\"name\":\"query - 29 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n//| where Action contains \\\"Deny\\\"\\r\\n| where isnotempty(Fqdn)\\r\\n| summarize count() by SourceIp\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"SourceIP Address, filterable: Query Time({$queryTime})\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"SourceIP\",\"parameterName\":\"InvestigateIP\",\"parameterType\":1,\"defaultValue\":\"privateIPAddress\"},{\"fieldName\":\"SourceIP\",\"parameterName\":\"InvestigateIPWC\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"SubscriptionId\",\"parameterName\":\"SelectedSubscriptionId\",\"parameterType\":1,\"defaultValue\":\"-\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SubscriptionId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"15\",\"name\":\"query - 33\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type =~ 'microsoft.network/networkinterfaces'\\r\\n| where properties contains \\\"{InvestigateIP}\\\"\\r\\n| extend NSG = properties['networkSecurityGroup']['id']\\r\\n| parse NSG with \\\"/subscriptions/\\\" NetworkSecurityGroup_Sub \\\"/resourceGroups/\\\" NetworkSecurityGroup_rg \\\"/providers/Microsoft.Network/networkSecurityGroups/\\\" NetworkSecurityGroup_Name\\r\\n| project id, PrivateIPAddress = tostring(properties['ipConfigurations'][0]['properties']['privateIPAddress']), PublicIPAddress = tostring(properties['ipConfigurations'][0]['properties']['publicIPAddress']['id']), VirtualMachine = tostring(properties['virtualMachine']['id']), subnet = tostring(properties['ipConfigurations'][0]['properties']['subnet']['id']), NetworkSecurityGroup = NetworkSecurityGroup_Name, properties, subscriptionId, tenantId\",\"size\":0,\"title\":\"SourceIPAddress Resource Lookup: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"exportFieldName\":\"id\",\"exportParameterName\":\"Testid\",\"exportDefaultValue\":\"*\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"value::selected\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"properties\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceIP\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"50\",\"name\":\"query - 33 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWApplicationRule\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| where isnotempty(Fqdn)\\r\\n| where SourceIp == \\\"{InvestigateIPWC:label}\\\" or '{InvestigateIPWC}' == \\\"*\\\"\\r\\n| where Fqdn == \\\"{FullName:label}\\\" or '{FullName}' == \\\"*\\\"\\r\\n| summarize by TimeGenerated, Fqdn, Protocol, Action, SourceIp, SourcePort, DestinationPort , _ResourceId , RuleCollection, Rule, WebCategory\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"FQDN Lookup logs: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"customWidth\":\"100\",\"name\":\"query - 33\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AZFWThreatIntel\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize by TimeGenerated, Protocol, SourceIp, SourcePort, Fqdn, DestinationPort, TargetUrl, Action, ThreatDescription\",\"size\":0,\"title\":\"Azure Firewall Threat Intel: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"noDataMessage\":\"There is no Azure Firewall Threat Intel for your filtered results\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"rowLimit\":2000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//reference list posted here : https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-lookup-plugin\\r\\nlet geoData = externaldata\\r\\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\\r\\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\\r\\n[@\\\"{GeoLocation}\\\"] with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nAZFWIdpsSignature\\r\\n| parse _ResourceId with * \\\"azurefirewalls/\\\" Resource\\r\\n| where Resource in~ (split(\\\"{Resource:label}\\\", \\\", \\\"))\\r\\n| summarize by TimeGenerated, SignatureId, Category, Description, Severity, Protocol, SourceIp, SourcePort, DestinationIp, DestinationPort, Action, _ResourceId\\r\\n| evaluate ipv4_lookup (geoData, DestinationIp, network, false)\\r\\n\",\"size\":0,\"title\":\"Azure Firewall Premium with GeoLocation- IDPS: Query Time({$queryTime}) : Total Rows({$rowCount})\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspaces}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"Group\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"country_name\",\"formatter\":5},{\"columnMatch\":\"-- Group By --\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Description\",\"continent_name\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"AFInvestigate\"},\"name\":\"query - 58\"}],\"fallbackResourceIds\":[\"azure monitor\"],\"fromTemplateId\":\"sentinel-AzureFirewallStructuredLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
"properties": {
"description": "@{workbookKey=AzureFirewallWorkbook-StructuredLogs; logoFileName=AzFirewalls.svg; description=Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Azure Firewall Structured Logs; templateRelativePath=AzureFirewallWorkbook-StructuredLogs.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId2')]",
"contentId": "[variables('_workbookContentId2')]",
"kind": "Workbook",
"version": "[variables('workbookVersion2')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"contentId": "AZFWNetworkRule",
"kind": "DataType"
},
{
"contentId": "AZFWApplicationRule",
"kind": "DataType"
},
{
"contentId": "AZFWDnsQuery",
"kind": "DataType"
},
{
"contentId": "AZFWThreatIntel",
"kind": "DataType"
},
{
"contentId": "AzureFirewall",
"kind": "DataConnector"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_workbookContentId2')]",
"contentKind": "Workbook",
"displayName": "[parameters('workbook2-name')]",
"contentProductId": "[variables('_workbookcontentProductId2')]",
"id": "[variables('_workbookcontentProductId2')]",
"version": "[variables('workbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall data connector with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Azure Firewall",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220124&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AzureDiagnostics",
"baseQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\""
},
{
"metricName": "Total data received",
"legend": "AZFWApplicationRule",
"baseQuery": "AZFWApplicationRule"
},
{
"metricName": "Total data received",
"legend": "AZFWFlowTrace",
"baseQuery": "AZFWFlowTrace"
},
{
"metricName": "Total data received",
"legend": "AZFWFatFlow",
"baseQuery": "AZFWFatFlow"
},
{
"metricName": "Total data received",
"legend": "AZFWNatRule",
"baseQuery": "AZFWNatRule"
},
{
"metricName": "Total data received",
"legend": "AZFWDnsQuery",
"baseQuery": "AZFWDnsQuery"
},
{
"metricName": "Total data received",
"legend": "AZFWIdpsSignature",
"baseQuery": "AZFWIdpsSignature"
},
{
"metricName": "Total data received",
"legend": "AZFWInternalFqdnResolutionFailure",
"baseQuery": "AZFWInternalFqdnResolutionFailure"
},
{
"metricName": "Total data received",
"legend": "AZFWNetworkRule",
"baseQuery": "AZFWNetworkRule"
},
{
"metricName": "Total data received",
"legend": "AZFWThreatIntel",
"baseQuery": "AZFWThreatIntel"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWApplicationRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWFlowTrace\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWFatFlow\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNatRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWDnsQuery\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWIdpsSignature\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWInternalFqdnResolutionFailure\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNetworkRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWThreatIntel\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [
{
"name": "AzureDiagnostics (Azure Firewall)",
"lastDataReceivedQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWApplicationRule",
"lastDataReceivedQuery": "AZFWApplicationRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWFlowTrace",
"lastDataReceivedQuery": "AZFWFlowTrace\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWFatFlow",
"lastDataReceivedQuery": "AZFWFatFlow\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWNatRule",
"lastDataReceivedQuery": "AZFWNatRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWDnsQuery",
"lastDataReceivedQuery": "AZFWDnsQuery\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWIdpsSignature",
"lastDataReceivedQuery": "AZFWIdpsSignature\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWInternalFqdnResolutionFailure",
"lastDataReceivedQuery": "AZFWInternalFqdnResolutionFailure\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWNetworkRule",
"lastDataReceivedQuery": "AZFWNetworkRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWThreatIntel",
"lastDataReceivedQuery": "AZFWThreatIntel\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "Azure Firewall",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"title": "Azure Firewall",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220124&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AzureDiagnostics",
"baseQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\""
},
{
"metricName": "Total data received",
"legend": "AZFWApplicationRule",
"baseQuery": "AZFWApplicationRule"
},
{
"metricName": "Total data received",
"legend": "AZFWFlowTrace",
"baseQuery": "AZFWFlowTrace"
},
{
"metricName": "Total data received",
"legend": "AZFWFatFlow",
"baseQuery": "AZFWFatFlow"
},
{
"metricName": "Total data received",
"legend": "AZFWNatRule",
"baseQuery": "AZFWNatRule"
},
{
"metricName": "Total data received",
"legend": "AZFWDnsQuery",
"baseQuery": "AZFWDnsQuery"
},
{
"metricName": "Total data received",
"legend": "AZFWIdpsSignature",
"baseQuery": "AZFWIdpsSignature"
},
{
"metricName": "Total data received",
"legend": "AZFWInternalFqdnResolutionFailure",
"baseQuery": "AZFWInternalFqdnResolutionFailure"
},
{
"metricName": "Total data received",
"legend": "AZFWNetworkRule",
"baseQuery": "AZFWNetworkRule"
},
{
"metricName": "Total data received",
"legend": "AZFWThreatIntel",
"baseQuery": "AZFWThreatIntel"
}
],
"dataTypes": [
{
"name": "AzureDiagnostics (Azure Firewall)",
"lastDataReceivedQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWApplicationRule",
"lastDataReceivedQuery": "AZFWApplicationRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWFlowTrace",
"lastDataReceivedQuery": "AZFWFlowTrace\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWFatFlow",
"lastDataReceivedQuery": "AZFWFatFlow\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWNatRule",
"lastDataReceivedQuery": "AZFWNatRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWDnsQuery",
"lastDataReceivedQuery": "AZFWDnsQuery\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWIdpsSignature",
"lastDataReceivedQuery": "AZFWIdpsSignature\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWInternalFqdnResolutionFailure",
"lastDataReceivedQuery": "AZFWInternalFqdnResolutionFailure\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWNetworkRule",
"lastDataReceivedQuery": "AZFWNetworkRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "AZFWThreatIntel",
"lastDataReceivedQuery": "AZFWThreatIntel\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWApplicationRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWFlowTrace\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWFatFlow\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNatRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWDnsQuery\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWIdpsSignature\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWInternalFqdnResolutionFailure\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNetworkRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWThreatIntel\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewallConnector Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"Custom Connector Name": {
"defaultValue": "AzureFirewallConnector",
"type": "string",
"metadata": {
"description": "Name of the Azure Firewall Connector"
}
}
},
"variables": {
"azure": "[[concat('https://management','.azure','.com')]",
"domain": "[[replace(variables('azure'), 'https://', '')]",
"operationId-GetFirewall": "GetFirewall",
"_operationId-GetFirewall": "[[variables('operationId-GetFirewall')]",
"operationId-UpdateFirewall": "UpdateFirewall",
"_operationId-UpdateFirewall": "[[variables('operationId-UpdateFirewall')]",
"operationId-UpdateTags": "UpdateTags",
"_operationId-UpdateTags": "[[variables('operationId-UpdateTags')]",
"operationId-ListAll": "ListAll",
"_operationId-ListAll": "[[variables('operationId-ListAll')]",
"operationId-List": "List",
"_operationId-List": "[[variables('operationId-List')]",
"operationId-GetFirewallPolicy": "GetFirewallPolicy",
"_operationId-GetFirewallPolicy": "[[variables('operationId-GetFirewallPolicy')]",
"operationId-FirewallPoliciesDelete": "FirewallPoliciesDelete",
"_operationId-FirewallPoliciesDelete": "[[variables('operationId-FirewallPoliciesDelete')]",
"operationId-CreateOrUpdateFirewallPolicy": "CreateOrUpdateFirewallPolicy",
"_operationId-CreateOrUpdateFirewallPolicy": "[[variables('operationId-CreateOrUpdateFirewallPolicy')]",
"operationId-IPGroupsGet": "IPGroupsGet",
"_operationId-IPGroupsGet": "[[variables('operationId-IPGroupsGet')]",
"operationId-IPGroupsDelete": "IPGroupsDelete",
"_operationId-IPGroupsDelete": "[[variables('operationId-IPGroupsDelete')]",
"operationId-IPGroupsCreateOrUpdate": "IPGroupsCreateOrUpdate",
"_operationId-IPGroupsCreateOrUpdate": "[[variables('operationId-IPGroupsCreateOrUpdate')]",
"operationId-IPGroupsUpdateTags": "IPGroupsUpdateTags",
"_operationId-IPGroupsUpdateTags": "[[variables('operationId-IPGroupsUpdateTags')]",
"operationId-IPGroupsList": "IPGroupsList",
"_operationId-IPGroupsList": "[[variables('operationId-IPGroupsList')]",
"operationId-IPGroupsListByResourceGroup": "IPGroupsListByResourceGroup",
"_operationId-IPGroupsListByResourceGroup": "[[variables('operationId-IPGroupsListByResourceGroup')]",
"operationId-FirewallPoliciesList": "FirewallPoliciesList",
"_operationId-FirewallPoliciesList": "[[variables('operationId-FirewallPoliciesList')]",
"operationId-FirewallPoliciesListAll": "FirewallPoliciesListAll",
"_operationId-FirewallPoliciesListAll": "[[variables('operationId-FirewallPoliciesListAll')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"playbookContentId1": "AzureFirewallConnector",
"playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('Custom Connector Name'))]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[[parameters('Custom Connector Name')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"connectionParameters": {
"token": {
"type": "oauthSetting",
"oAuthSettings": {
"identityProvider": "aadcertificate",
"clientId": "[variables('blanks')]",
"scopes": "[variables('TemplateEmptyArray')]",
"redirectMode": "Direct",
"redirectUrl": "[variables('blanks')]",
"properties": {
"IsFirstParty": "False"
},
"customParameters": {
"resourceUri": {
"value": "[[variables('azure')]"
},
"loginUriAAD": {
"value": "https://login.windows.net"
}
}
},
"uiDefinition": {
"displayName": "Login your Credentials",
"description": "Login your Credentials",
"tooltip": "Provide your Credentials",
"constraints": {
"required": "false",
"hidden": "true"
}
}
},
"token:clientId": {
"type": "string",
"uiDefinition": {
"displayName": "Client ID",
"description": "Client (or Application) ID of the Azure Active Directory application.",
"constraints": {
"required": "false",
"hidden": "true"
}
}
},
"token:clientSecret": {
"type": "securestring",
"uiDefinition": {
"displayName": "Client Secret",
"description": "Client secret of the Azure Active Directory application.",
"constraints": {
"required": "false",
"hidden": "true"
}
}
},
"token:TenantId": {
"type": "string",
"metadata": {
"sourceType": "AzureActiveDirectoryTenant"
},
"uiDefinition": {
"displayName": "Tenant",
"description": "The tenant ID of for the Azure Active Directory application",
"constraints": {
"required": "false",
"hidden": "true"
}
}
},
"token:resourceUri": {
"type": "string",
"uiDefinition": {
"displayName": "ResourceUri",
"description": "The resource you are requesting authorization to use.",
"constraints": {
"required": "false",
"hidden": "true"
}
}
},
"token:grantType": {
"type": "string",
"allowedValues": [
{
"value": "client_credentials"
}
],
"uiDefinition": {
"displayName": "Grant Type",
"description": "Grant type",
"constraints": {
"required": "false",
"hidden": "true",
"allowedValues": [
{
"text": "Client Credentials",
"value": "client_credentials"
}
]
}
}
}
},
"backendService": {
"serviceUrl": "[[variables('azure')]"
},
"brandColor": "#FFFFFF",
"displayName": "[[parameters('Custom Connector Name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOcAAADnCAYAAADl9EEgAAAACXBIWXMAAAsSAAALEgHS3X78AAAMNElEQVR4nO3dX2yV9R3H8V9HtQwdhRIZ4PiXFUMGrDgDwRuKyaIuM6FesiVS3J27QHS3hpBd6MU25MJbqV7oxRItiSZzF3pKZJKRFWrrYgRSikKRhdIWKa1QXL5Pe+DQHug5p+d5ns/v97xfyUnQBJ7nPOd8zu//71dTs+dIq3NulQOgJFfrnLNwNvOxAFp+xOcBaCKcgCjCCYginIAowgmIIpyAKMIJiCKcgCjCCYginIAowgmIIpyAKMIJiCKcgCjCCYginIAowgmIIpyAKMIJiCKcgCjCCYginIAowgmIIpyAKMIJiCKcgCjCCYginIAowgmIIpyAKMIJiCKcgCjCCYginIAowgmIIpyAKMIJiCKcgKhaPhj/Lfhxrdv48AMzvo8zA6PuzMBY1h+XNwinR7Y11ruNy+a5pocfcKsa5kaBrJ87p+w3MDQ67k6cuxqFtevcVXfi/IjLnRrK8JPVRDiFWfi2r2+IQtn88/lVu1ELtP170b+56fb/7zg97A51X3K508NReJEuwilmVUOd2711mWvZ0OBWLqxL9OZuBdY513d5zLX9+6J769hFqsIpqanZcyRnn0sm372Q1k2L3c7Ni6taQlbLoZ4Bd+BwP1XfZO2j5EyZhXLv08sTLyXLYVVre1m1d99HXxPShBDOlPgQyqmsVP/4hXWENCGMcybMOnk++eN69+aORq+CWSgf0oM7GqNhHMSDcCZo71PLXefLTZLtykrs3LTY9b7yWNR5heojnAmw0vL4n5qicIbGhmXe27WWUjQGhDNm1ra0amzTspln8PhsZ/Q+15U0UwmlIZwxstLE2paVzOLxkf0A2Q+RTZrA7BHOGFj17v3n10alSdbYD5F1FrVm8L1XG42EKrNgWvUu9GrsTKzGYNqOXVS+TWmUnFVEMO9kAaUErRzhrBKCWRwBrRzhrBJrYxLM4iygjIWWj3BWgfXKhjKxIC4Hd6xhmKVMhHOWXty6NJO9suWyXlwmKpSHcM6ClQR/a1nt7f0nzar9Byd7cTEzwlmh/FgmymNLz2h/loZwVsjmyfq6qiRt1v6kejszwlkBm562e+tS7+5bRb79iXsjnBXgizV7+Y3LcHeEs0xUZ6tnf8uqUN5KLAhnGayd9GLzMm/uV5313jJ76O4IZxmsnZmV5V9JsX2UUBzhLBGlZjysiUDpWRzhLBGlZnxsv15MRzhL1MoXKDY2L5l5t9MRzhKkcTRC1jA/eTqmaRRh55XYKV72i25/ZjwufvYDuKe9N/S3WRbCOdnZ07K+wTU3zo+CSCmZPHvm9uzZRf62TIfTegm3b5g4BwTps8+BcN6WuXDmj9izDh56X7Vsa2TBeqHMhNNCaVPv6HjQZTOGrIkxeO1G5p+Fy0I47cO2ULKKxA9WerZ3D2T+ObjQw2ltyv3Prqb66hErPQnnhCDHOSe2qVyfqaMQQsGw1W3BlZw2XmYr7Qmln6xvABOCCqe1LUM8Zi9LGGO+LZhqre1OQDDDQOk5wfuSk2MQwmNTJ88MjGX9MfhdchJMhGxOzeN/aLUfK9/eI8EMl5WcVrVdOK/Wjd646QavjWfxMXR4W621NibBDJOtBio8e6bv8lg05/ZQz0CmxkC9DKcFk8nq2WE9uDbt0l5Do+OuvfuSO3C43504dzXoZ+Bdm7N18kNCNtn4tX3+nS83RRNNQp604FU4bSsLm44HuMnq78cvrAs2pF6F8yDT8VBEPqShHTHoTThtggEdQLgXq+72vvJYMKeYeRFOq84y+welsJrVe7vWuv0BnJvqRThDeNBIlq3ftbaoz9Vc+XBaFaVwzAsolX1vbKKKrwGVDyelJmbD+imsHerjptXS4bQxTZYQYbbyh/X6VoJKh3N3M/v+oDqsBPWtiisbThtUZugE1WTfJ59OJZcN585NDwncBUJjc7J9GZaTDKdVPZg/i7hYOH2Y7icZzhZWnCBmPnQQSYZzeyDTr6DLRgHUNxqXDCd7lyIJVr1V3kxMLpwWTFaeICnKnUNy4WSqHpJkHY+qpadcOH2cZgW/qZaehBOZZ6WnYs+tXDiZS4s0tApOepEKJ720SMvOzXqTXoI8AhAol827VesYkgrnxmXzBO4CWaU2M00qnPUB7ZwG/zSLNauo1gKT1Po8CCcwyWamKbU7CSdQwE44UyEVzq7zYR9MA31K00elwpnRcxiBoqTCeWZgVOAukGVK00fFwjkmcBfIMqU5tnIdQh2nhwXuAkifXDhDP60YKJVcOLsIJ1Kk1O8hF87c6SGBu0BWKfV7yIXTHg7jnUjL0LUbMs9ecoZQ7hSdQkjHifMjMk9eMpxvHbsocBfIIqUOSclw2gPqu8yYJ5Jl37lBqrUzO9BxXvXWEKjcKa3OSNlwth37n8BdIEs6xPo6ZMNp1QvankhSe8+A1POWXs+576OvBe4CWXCoZ0CqvWmkN+2xMU8rPdM6q7Pjtddc36efpnLtrFiwYoV78tVX3dz6dLcIOdStVWo69XC6ydIzjXC+/cwzru/IkcSvmzX2jC90d7vnPvggtYAOjY67NsEmlPw2JVZ6Jl297XrnHYKZoG97eqJaSlpeFx0Z8GIPoQOH+xMd9xw8ezaxa2HCt93dqTwJKzXt+6XIi3BaQ33Xu6cE7gShsVJTrSMoz5tdnG2A2H7h0joq/JG6OremLv5tE4+OjLhLNya+LEsWPeSe3LIt9mv+82jOXbg0Ma68qLbWbZkX/877he8zLcqlpvMpnG6yc2hb4/zoXIukPThnjlt6332xX/X+mppbf667v86tXPKz2K9p1ym8ftLvMy37/nFWttR0vu1bm6/e2i8eMBu2Hc7rwqWm83FTaZsUv+vdkwJ3Al/Zj7sP3yEvd3xv7x5wz9NBhArteb/Xi50evT2OwQaNmd6HctmMM8UJB8V4fVaKhZPJ8SiVtTN9GpLz/iAje9gvtfcK3AmU2b5Uz775pVefURCnjFmvG21Q3I0F84k3vpAeNikmmCMArR3xq792McyCO/gaTBfa+Zw2zLL6z//hSAdErD/C12A632YIlcI+iCfe6HF7n1oevarlu/Fx13/9euz3//0PP9z689j3Y67vwjexX9OuU3j9pN9nHKyz0Pfe/ODCmWcfjK1u39+yuioHon41Nha9kmTzXd/+8O+JXtPmu3447G/Nw1YvWSeh2mZdlQj62Hmr5lopap1FbLUZPpvE/uhfuoIIpgu55CzUNjnwbNXc1s2L3cqF8a8uQXKsj2FPe29wJ9RlIpx5+XZI66bFbu/Ty8sKaTlLxtJY9tX11X9d18kvbv33b+fPvio/k5NTqvpNa9a5pkd+UdLfLVymVikLpX2eoZSUU2UqnHn5ktSOGLf1oS0bFrn6uXPu+XfKWTKWxrKvvv47O46SWPbVP2U95oKfzC/5vRYuUyuHDZW1d1+KQhn6SeiZDGfexAqXU9FrW2O9276+IVovCi3WX2Clo3XwtQvukheXTIezkH34+erRb3rOuS0qN5YxFkQrEe2H0w5StvNaQy8h74ZwFjF6/abcPYXO2o+tL/0r64/hDkEPpQA+I5yAKMIJiCKcgCjCCYginIAohlJKVM6SsTSWfQ1euXMlSRLLvuyZTL2HUt9r4TI1FEc4S1TpkrE0ln2ZNJZ92dzewvm9mB2qtYAowgmIolpbIk4Zqy6FU8bUEc4SccpYdSmcMqaOai0ginACoggnIIpwAqIIJyCKcAKiCCcginACoggnIIoZQiWyJVidCVyncBnW0JVhd/j40divOVSw3Myu33ntWuzXnLrcDNMRzhJZOJNYI1lo8Lth19H5WaLXvHLzpuscGUn0miiOai0ginAW0bv0l3L3FLovVzye9UcwDeEs4sySDS638Xdy9xUqe96frdue9ccwDW3Ou/jk0d9HJejq/s8l7y8Ugw/+1B1f8+usP4aiCOc92C+6vYA0UK0FRBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkAU4QREEU5AFOEERBFOQBThBEQRTkBUrXOuzTmX4wMChDiX+z+n1Ju7nMtUlwAAAABJRU5ErkJggg==",
"swagger": {
"swagger": "2.0",
"info": {
"title": "Default title",
"description": "[variables('blanks')]",
"version": "1.0"
},
"host": "[[variables('domain')]",
"basePath": "/",
"schemes": [
"https"
],
"consumes": "[variables('TemplateEmptyArray')]",
"produces": "[variables('TemplateEmptyArray')]",
"paths": {
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls/{azureFirewallName}": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name for the azure firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "Unique id of the Azure firewall",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the azure firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "Tag for azure firewall",
"title": "etag"
},
"location": {
"type": "string",
"description": "Location of azure firewall",
"title": "location"
},
"zones": {
"type": "array",
"description": "zones"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning state of the rule collection",
"title": "provisioning State"
},
"sku": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "suku name",
"title": "name"
},
"tier": {
"type": "string",
"description": "tier"
}
},
"description": "sku"
},
"threatIntelMode": {
"type": "string",
"description": "Threat Intel Mode",
"title": "threatIntelMode"
},
"ipConfigurations": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the IP configuration",
"title": "name"
},
"id": {
"type": "string",
"description": "Unique id for IP configuration",
"title": "id"
},
"etag": {
"type": "string",
"description": "Tag for azure firewall",
"title": "etag"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "ProvisioningState"
},
"privateIPAddress": {
"type": "string",
"description": "private IP Address of the rule collection",
"title": "privateIPAddress"
},
"subnet": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "subnet Unique id",
"title": "id"
}
},
"description": "subnet"
},
"publicIPAddress": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "public IP of the rule collection",
"title": "id"
}
},
"description": "publicIPAddress"
}
},
"description": "properties"
}
}
},
"description": "ipConfigurations"
},
"applicationRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "Priority of the rule collection",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of the rule colloection",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocolType": {
"type": "string",
"description": "protocolType"
},
"port": {
"type": "integer",
"format": "int32",
"description": "port"
}
}
},
"description": "protocols"
},
"targetFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "targetFqdns"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "applicationRuleCollections"
},
"natRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority of the azure firewall",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of the rule collection",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"translatedAddress": {
"type": "string",
"description": "translatedAddress"
},
"translatedPort": {
"type": "string",
"description": "translatedPort"
},
"translatedFqdn": {
"type": "string",
"description": "translatedFqdn"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "natRuleCollections"
},
"networkRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority of rule collection",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of the rule collection type",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"destinationFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationFqdns"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "networkRuleCollections"
},
"ipGroups": {
"type": "array",
"description": "ipGroups"
},
"additionalProperties": {
"type": "object",
"description": "additionalProperties"
}
},
"description": "properties"
}
}
}
}
},
"summary": "Gets the specified Azure Firewall",
"description": "Gets the specified Azure Firewall",
"operationId": "[[variables('_operationId-GetFirewall')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please Enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter your Resource Group Name"
},
{
"name": "azureFirewallName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter your Firewall name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the Firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "Id of the Azure firewall",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the azure firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "location of the firewall",
"title": "location"
},
"zones": {
"type": "array",
"description": "zones"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning state firewall",
"title": "provisioningState"
},
"sku": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "suku name",
"title": "name"
},
"tier": {
"type": "string",
"description": "Tier of the azure firewall",
"title": "tier"
}
},
"description": "sku"
},
"threatIntelMode": {
"type": "string",
"description": "threatIntelMode"
},
"ipConfigurations": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the IP configuration",
"title": "name"
},
"id": {
"type": "string",
"description": "IP Configuration ID",
"title": "id"
},
"etag": {
"type": "string",
"description": "etag"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioning State",
"title": "Provisioning State"
},
"privateIPAddress": {
"type": "string",
"description": "Private IP Address configuration rule",
"title": "Private IP Address"
},
"subnet": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "subnet id",
"title": "id"
}
},
"description": "subnet"
},
"publicIPAddress": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id of the public IP addess",
"title": "id"
}
},
"description": "publicIPAddress"
}
},
"description": "properties"
}
}
},
"description": "ipConfigurations"
},
"applicationRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority of the rule collection",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of the",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocolType": {
"type": "string",
"description": "protocolType"
},
"port": {
"type": "integer",
"format": "int32",
"description": "port"
}
}
},
"description": "protocols"
},
"targetFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "targetFqdns"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "applicationRuleCollections"
},
"natRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "Priority of the firewall",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of rule collection",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"translatedAddress": {
"type": "string",
"description": "translatedAddress"
},
"translatedPort": {
"type": "string",
"description": "translatedPort"
},
"translatedFqdn": {
"type": "string",
"description": "translatedFqdn"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "natRuleCollections"
},
"networkRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the rule collection",
"title": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "Priority of the rule collection",
"title": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of the network rule collection",
"title": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"destinationFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationFqdns"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "networkRuleCollections"
},
"ipGroups": {
"type": "array",
"description": "ipGroups"
},
"additionalProperties": {
"type": "object",
"description": "additionalProperties"
}
},
"description": "properties"
}
}
}
}
},
"summary": "Creates or updates the specified Azure Firewall",
"description": "Creates or updates the specified Azure Firewall",
"operationId": "[[variables('_operationId-UpdateFirewall')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "azureFirewallName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Azure Firewall name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
},
{
"name": "body",
"in": "body",
"required": false,
"schema": {
"type": "object",
"properties": {
"location": {
"type": "string",
"description": "location"
},
"properties": {
"type": "object",
"properties": {
"networkRuleCollections": {
"type": "object",
"description": "networkRuleCollections"
}
},
"description": "properties"
}
}
}
}
]
},
"patch": {
"responses": {
"default": {
"description": "default"
}
},
"summary": "Updates tags for Azure Firewall resource",
"description": "Updates tags for Azure Firewall resource",
"operationId": "[[variables('_operationId-UpdateTags')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "azureFirewallName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Azure Firewall name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"description": "Please enter api version"
},
{
"name": "body",
"in": "body",
"required": false,
"schema": {
"type": "object",
"properties": {
"tags": {
"type": "object",
"description": "tags"
}
}
}
}
]
}
},
"/subscriptions/{subscriptionId}/providers/Microsoft.Network/azureFirewalls": {
"get": {
"responses": {
"default": {
"description": "default"
}
},
"summary": "Gets all the Azure Firewalls in a subscription",
"description": "List All Azure Firewalls in Subscription",
"operationId": "[[variables('_operationId-ListAll')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string"
}
]
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/azureFirewalls": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "Id of the azure firewall",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "location of the azure firewall",
"title": "location"
},
"zones": {
"type": "array",
"description": "zones"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioning State of the subnet",
"title": "provisioning State"
},
"threatIntelMode": {
"type": "string",
"description": "Threat Intel Mode",
"title": "threatIntelMode"
},
"ipConfigurations": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"id": {
"type": "string",
"description": "id"
},
"etag": {
"type": "string",
"description": "etag"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioningState"
},
"privateIPAddress": {
"type": "string",
"description": "privateIPAddress"
},
"subnet": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
},
"description": "subnet"
},
"publicIPAddress": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
},
"description": "publicIPAddress"
}
},
"description": "properties"
}
}
},
"description": "ipConfigurations"
},
"managementIpConfiguration": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"id": {
"type": "string",
"description": "Id of Management IP configuration",
"title": "id"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "provisioningState"
},
"subnet": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "subnet id of the azure",
"title": "id"
}
},
"description": "subnet"
},
"publicIPAddress": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id of the azure public IP",
"title": "id"
}
},
"description": "publicIPAddress"
}
},
"description": "properties"
}
},
"description": "managementIpConfiguration"
},
"applicationRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocolType": {
"type": "string",
"description": "protocolType"
},
"port": {
"type": "integer",
"format": "int32",
"description": "port"
}
}
},
"description": "protocols"
},
"targetFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "targetFqdns"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "applicationRuleCollections"
},
"natRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"translatedAddress": {
"type": "string",
"description": "translatedAddress"
},
"translatedPort": {
"type": "string",
"description": "translatedPort"
},
"translatedFqdn": {
"type": "string",
"description": "translatedFqdn"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "natRuleCollections"
},
"networkRuleCollections": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"properties": {
"type": "object",
"properties": {
"priority": {
"type": "integer",
"format": "int32",
"description": "priority"
},
"action": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "type"
}
},
"description": "action"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"protocols": {
"type": "array",
"items": {
"type": "string"
},
"description": "protocols"
},
"destinationFqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationFqdns"
}
}
},
"description": "rules"
}
},
"description": "properties"
}
}
},
"description": "networkRuleCollections"
},
"ipGroups": {
"type": "array",
"description": "ipGroups"
},
"additionalProperties": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key of the firewall",
"title": "key1"
},
"key2": {
"type": "string",
"description": "key2"
}
},
"description": "additionalProperties"
}
},
"description": "properties"
}
}
},
"description": "value"
}
}
}
}
},
"summary": "Lists all Azure Firewalls in a resource group",
"description": "List Azure Firewalls in Resource Group",
"operationId": "[[variables('_operationId-List')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
}
]
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "Id of the firewall",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the azure firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "location of the firewall",
"title": "location"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State of the firewall",
"title": "provisioningState"
},
"threatIntelMode": {
"type": "string",
"description": "threat Intel mode of the firewall",
"title": "threatIntelMode"
},
"threatIntelWhitelist": {
"type": "object",
"properties": {
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"fqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "fqdns"
}
},
"description": "threatIntelWhitelist"
},
"ruleCollectionGroups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id of the Rule collection group",
"title": "id"
}
}
},
"description": "ruleCollectionGroups"
},
"firewalls": {
"type": "array",
"description": "firewalls"
},
"dnsSettings": {
"type": "object",
"properties": {
"servers": {
"type": "array",
"items": {
"type": "string"
},
"description": "servers"
},
"enableProxy": {
"type": "boolean",
"description": "enable proxy of the firewall",
"title": "enableproxy",
"enum": [
"",
"true",
"false"
]
},
"requireProxyForNetworkRules": {
"type": "boolean",
"description": "requireProxyForNetworkRules"
}
},
"description": "dnsSettings"
},
"sku": {
"type": "object",
"properties": {
"tier": {
"type": "string",
"description": "tier of firewall",
"title": "tier"
}
},
"description": "sku"
},
"intrusionDetection": {
"type": "object",
"properties": {
"mode": {
"type": "string",
"description": "Mode of the intruction detection",
"title": "mode"
},
"configuration": {
"type": "object",
"properties": {
"signatureOverrides": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id of the signature override",
"title": "id"
},
"mode": {
"type": "string",
"description": "Mode of the signature override",
"title": "mode"
}
}
},
"description": "signatureOverrides"
},
"bypassTrafficSettings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the traffic setting",
"title": "name"
},
"description": {
"type": "string",
"description": "Description of traffic setting",
"title": "description"
},
"protocol": {
"type": "string",
"description": "Protocol setting",
"title": "protocol"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
}
}
},
"description": "bypassTrafficSettings"
}
},
"description": "configuration"
}
},
"description": "intrusionDetection"
},
"transportSecurity": {
"type": "object",
"properties": {
"certificateAuthority": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name of the certificate Authority",
"title": "name"
},
"keyVaultSecretId": {
"type": "string",
"description": "key Vault Secret Id of the firewall",
"title": "keyVaultSecretId"
}
},
"description": "certificateAuthority"
}
},
"description": "transportSecurity"
}
},
"description": "properties"
}
}
}
}
},
"summary": "Get firewall policy information",
"description": "Get firewall policy information",
"operationId": "[[variables('_operationId-GetFirewallPolicy')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "firewallPolicyName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Firewall Policy name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
}
]
},
"delete": {
"responses": {
"default": {
"description": "default"
}
},
"summary": "Deletes the specified Firewall Policy.",
"description": "Deletes the specified Firewall Policy.",
"operationId": "[[variables('_operationId-FirewallPoliciesDelete')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "firewallPolicyName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "Unique id of the azure id",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "location"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "provisioningState"
},
"threatIntelMode": {
"type": "string",
"description": "threatIntelMode"
},
"threatIntelWhitelist": {
"type": "object",
"properties": {
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"fqdns": {
"type": "array",
"items": {
"type": "string"
},
"description": "fqdns"
}
},
"description": "threatIntelWhitelist"
},
"ruleCollectionGroups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
}
},
"description": "ruleCollectionGroups"
},
"firewalls": {
"type": "array",
"description": "firewalls"
},
"dnsSettings": {
"type": "object",
"properties": {
"servers": {
"type": "array",
"items": {
"type": "string"
},
"description": "servers"
},
"enableProxy": {
"type": "boolean",
"description": "Enable Proxy of the firewall",
"title": "enableProxy",
"enum": [
"",
"true",
"false"
]
},
"requireProxyForNetworkRules": {
"type": "boolean",
"description": "Require Proxy For Network Rules of firewall",
"title": "requireProxyForNetworkRules",
"enum": [
"",
"true",
"false"
]
}
},
"description": "dnsSettings"
},
"sku": {
"type": "object",
"properties": {
"tier": {
"type": "string",
"description": "tier"
}
},
"description": "sku"
},
"intrusionDetection": {
"type": "object",
"properties": {
"mode": {
"type": "string",
"description": "mode of the interaction",
"title": "mode"
},
"configuration": {
"type": "object",
"properties": {
"signatureOverrides": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id signature override",
"title": "id"
},
"mode": {
"type": "string",
"description": "mode of signature",
"title": "mode"
}
}
},
"description": "signatureOverrides"
},
"bypassTrafficSettings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall",
"title": "name"
},
"description": {
"type": "string",
"description": "Description of the azure firewall",
"title": "description"
},
"protocol": {
"type": "string",
"description": "Protocol of the azure",
"title": "protocol"
},
"sourceAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "sourceAddresses"
},
"destinationAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationAddresses"
},
"destinationPorts": {
"type": "array",
"items": {
"type": "string"
},
"description": "destinationPorts"
}
}
},
"description": "bypassTrafficSettings"
}
},
"description": "configuration"
}
},
"description": "intrusionDetection"
},
"transportSecurity": {
"type": "object",
"properties": {
"certificateAuthority": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the certificate authority",
"title": "name"
},
"keyVaultSecretId": {
"type": "string",
"description": "key vault secret Id",
"title": "keyVaultSecretId"
}
},
"description": "certificateAuthority"
}
},
"description": "transportSecurity"
}
},
"description": "properties"
}
}
}
}
},
"summary": "Creates or updates the specified Firewall Policy.",
"description": "Creates or updates the specified Firewall Policy.",
"operationId": "[[variables('_operationId-CreateOrUpdateFirewallPolicy')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "firewallPolicyName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string"
},
{
"name": "body",
"in": "body",
"required": false,
"schema": {
"type": "object",
"properties": {
"tags": {
"type": "object",
"description": "tags"
},
"location": {
"type": "string",
"description": "location"
},
"properties": {
"type": "object",
"properties": {
"threatIntelWhitelist": {
"type": "object",
"properties": {
"ipAddresses": {
"type": "array",
"description": "ipAddresses"
}
},
"description": "threatIntelWhitelist"
}
},
"description": "properties"
}
}
}
}
]
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/ipGroups/{ipGroupsName}": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the group",
"title": "name"
},
"id": {
"type": "string",
"description": "Id IP group set",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the azure firewall",
"title": "type"
},
"location": {
"type": "string",
"description": "location of the group set",
"title": "location"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioningState"
},
"ipAddresses": {
"type": "array",
"items": {
"type": "string",
"title": "[variables('blanks')]"
},
"description": "ipAddresses"
},
"firewalls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Id Group set",
"title": "id"
}
}
},
"description": "firewalls"
},
"firewallPolicies": {
"type": "array",
"description": "firewallPolicies"
}
},
"description": "properties"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
}
}
}
}
},
"summary": "IP Groups - Get",
"description": "Gets the specified ipGroups.",
"operationId": "[[variables('_operationId-IPGroupsGet')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "ipGroupsName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter IP Group name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
}
]
},
"delete": {
"responses": {
"default": {
"description": "default"
}
},
"summary": "Deletes the specified ipGroups",
"description": "Deletes the specified IP Groups",
"operationId": "[[variables('_operationId-IPGroupsDelete')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "ipGroupsName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"id": {
"type": "string",
"description": "Id of groups",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the group",
"title": "type"
},
"location": {
"type": "string",
"description": "location"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "provisioning State"
},
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"firewalls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique id of the firewall policy",
"title": "id"
}
}
},
"description": "firewalls"
},
"firewallPolicies": {
"type": "array",
"description": "firewallPolicies"
}
},
"description": "properties"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
}
}
}
}
},
"summary": "IP Groups - Create Or UpdateCreates or updates an ipGroups in a specified resource group",
"description": "Creates or updates an IP Groups in a specified resource group.",
"operationId": "[[variables('_operationId-IPGroupsCreateOrUpdate')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "ipGroupsName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter IP Group name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
},
{
"name": "body",
"in": "body",
"required": false,
"schema": {
"type": "object",
"properties": {
"tags": {
"type": "object",
"description": "tags"
},
"location": {
"type": "string",
"description": "location"
},
"properties": {
"type": "object",
"properties": {
"ipAddresses": {
"type": "object",
"description": "ipAddresses"
}
},
"description": "properties"
}
}
}
}
]
},
"patch": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name"
},
"id": {
"type": "string",
"description": "Id of the updated group",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the group",
"title": "type"
},
"location": {
"type": "string",
"description": "location of the group",
"title": "location"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
},
"key2": {
"type": "string",
"description": "key2",
"title": "key2"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioningState"
},
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"firewalls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique ID of the group",
"title": "id"
}
}
},
"description": "firewalls"
},
"firewallPolicies": {
"type": "array",
"description": "firewallPolicies"
}
},
"description": "properties"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
}
}
}
}
},
"summary": "Updates tags of an IpGroups resource",
"description": "Updates tags of an IpGroups resource",
"operationId": "[[variables('_operationId-IPGroupsUpdateTags')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "ipGroupsName",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01"
},
{
"name": "body",
"in": "body",
"required": false,
"schema": {
"type": "object",
"properties": {
"tags": {
"type": "object",
"description": "tags"
}
}
}
}
]
}
},
"/subscriptions/{subscriptionId}/providers/Microsoft.Network/ipGroups": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the groups",
"title": "name"
},
"id": {
"type": "string",
"description": "Id groups",
"title": "id"
},
"type": {
"type": "string",
"description": "type of the group",
"title": "type"
},
"location": {
"type": "string",
"description": "location of the group",
"title": "location"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "provisioningState"
},
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"firewalls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
}
},
"description": "firewalls"
},
"firewallPolicies": {
"type": "array",
"description": "firewallPolicies"
}
},
"description": "properties"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
}
}
},
"description": "value"
}
}
}
}
},
"summary": "Ip Groups - ListGets all IpGroups in a subscription",
"description": "Gets all IpGroups in a subscription",
"operationId": "[[variables('_operationId-IPGroupsList')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01"
}
]
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/ipGroups": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the group",
"title": "name"
},
"id": {
"type": "string",
"description": "unique id of group",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the group",
"title": "type"
},
"location": {
"type": "string",
"description": "location of the group",
"title": "location"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "Provisioning State",
"title": "provisioningState"
},
"ipAddresses": {
"type": "array",
"items": {
"type": "string"
},
"description": "ipAddresses"
},
"firewalls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
}
},
"description": "firewalls"
},
"firewallPolicies": {
"type": "array",
"description": "firewallPolicies"
}
},
"description": "properties"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
}
}
},
"description": "value"
}
}
}
}
},
"summary": "Gets all IpGroups in a resource group",
"description": "Gets all IpGroups in a resource group",
"operationId": "[[variables('_operationId-IPGroupsListByResourceGroup')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
}
]
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall policy",
"title": "name"
},
"id": {
"type": "string",
"description": "ID of the firewall policy",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the firewall policy",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "Location of the firewall policy",
"title": "location"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioningState"
},
"threatIntelMode": {
"type": "string",
"description": "Threat Intel Mode of the firewall policy",
"title": "threatIntelMode"
},
"ruleCollectionGroups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
}
},
"description": "ruleCollectionGroups"
},
"firewalls": {
"type": "array",
"description": "firewalls"
},
"dnsSettings": {
"type": "object",
"properties": {
"servers": {
"type": "array",
"items": {
"type": "string"
},
"description": "servers"
},
"enableProxy": {
"type": "boolean",
"description": "Enable Proxy for the firewall policy",
"title": "enableProxy",
"enum": [
"",
"true",
"false"
]
},
"requireProxyForNetworkRules": {
"type": "boolean",
"description": "requireProxyForNetworkRules"
}
},
"description": "dnsSettings"
},
"sku": {
"type": "object",
"properties": {
"tier": {
"type": "string",
"description": "tier",
"title": "tier"
}
},
"description": "sku"
}
},
"description": "properties"
}
}
},
"description": "value"
}
}
}
}
},
"summary": "Lists all Firewall Policies in a resource group.",
"description": "Lists all Firewall Policies in a resource group.",
"operationId": "[[variables('_operationId-FirewallPoliciesList')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Subscription Id"
},
{
"name": "resourceGroupName",
"in": "path",
"required": true,
"type": "string",
"description": "Please enter Resource Group name"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01",
"description": "Please enter api version"
}
]
}
},
"/subscriptions/{subscriptionId}/providers/Microsoft.Network/firewallPolicies": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the firewall",
"title": "name"
},
"id": {
"type": "string",
"description": "unique id for the firewall policy",
"title": "id"
},
"type": {
"type": "string",
"description": "Type of the firewall",
"title": "type"
},
"etag": {
"type": "string",
"description": "etag",
"title": "etag"
},
"location": {
"type": "string",
"description": "location of the firewall",
"title": "location"
},
"tags": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1",
"title": "key1"
}
},
"description": "tags"
},
"properties": {
"type": "object",
"properties": {
"provisioningState": {
"type": "string",
"description": "provisioningState"
},
"threatIntelMode": {
"type": "string",
"description": "Threat Intel Mode",
"title": "threatIntelMode"
},
"ruleCollectionGroups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id"
}
}
},
"description": "ruleCollectionGroups"
},
"firewalls": {
"type": "array",
"description": "firewalls"
},
"dnsSettings": {
"type": "object",
"properties": {
"servers": {
"type": "array",
"items": {
"type": "string"
},
"description": "servers"
},
"enableProxy": {
"type": "boolean",
"description": "enableProxy"
},
"requireProxyForNetworkRules": {
"type": "boolean",
"description": "Require Proxy For Network Rules of the firewall policy",
"title": "requireProxyForNetworkRules",
"enum": [
"",
"true",
"false"
]
}
},
"description": "dnsSettings"
},
"sku": {
"type": "object",
"properties": {
"tier": {
"type": "string",
"description": "tier",
"title": "tier"
}
},
"description": "sku"
}
},
"description": "properties"
}
}
},
"description": "value"
}
}
}
}
},
"summary": "Gets all the Firewall Policies in a subscription.",
"description": "Gets all the Firewall Policies in a subscription.",
"operationId": "[[variables('_operationId-FirewallPoliciesListAll')]",
"parameters": [
{
"name": "subscriptionId",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "api-version",
"in": "query",
"required": false,
"type": "string",
"default": "2020-07-01"
}
]
}
}
},
"securityDefinitions": {
"oauth2_auth": {
"type": "oauth2",
"flow": "accessCode",
"authorizationUrl": "https://login.windows.net/common/oauth2/authorize",
"tokenUrl": "https://login.windows.net/common/oauth2/authorize",
"scopes": {
"openid": "openid"
}
}
},
"security": [
{
"oauth2_auth": [
"openid"
]
}
],
"tags": "[variables('TemplateEmptyArray')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
"parentId": "[[variables('playbookId1')]",
"contentId": "[variables('_playbookContentId1')]",
"kind": "LogicAppsCustomConnector",
"version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
],
"metadata": {
"comments": "This Azure Firewall connector uses Firewall, IP Groups and Firewall Policies APIs to perform different actions on the Firewall, IP Groups and Firewall Policies.",
"lastUpdateTime": "2024-02-12T11:10:21.962Z",
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId1')]",
"contentKind": "LogicAppsCustomConnector",
"displayName": "AzureFirewallConnector",
"contentProductId": "[variables('_playbookcontentProductId1')]",
"id": "[variables('_playbookcontentProductId1')]",
"version": "[variables('playbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewall-BlockIP-addToIPGroup Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
"parameters": {
"PlaybookName": {
"defaultValue": "AzureFirewall-BlockIP-addToIPGroup",
"type": "string",
"metadata": {
"description": "Name of the Logic Apps resource to be created"
}
},
"CustomConnectorName": {
"defaultValue": "AzureFirewallConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector which interacts with Azure Firewall. Cannot contain spaces."
}
},
"Teams GroupId": {
"defaultValue": "TeamgroupId",
"type": "String",
"metadata": {
"description": "GroupId of the Team channel"
}
},
"Teams ChannelId": {
"defaultValue": "TeamChannelId",
"type": "String",
"metadata": {
"description": "Team ChannelId"
}
},
"clientId": {
"defaultValue": "<enter the ClientId of the application>",
"type": "string"
},
"clientSecret": {
"defaultValue": "<enter the Client secret of the application>",
"type": "securestring"
}
},
"variables": {
"OAuthConnection": "[[concat('AzureFirewall-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[[concat('VirusTotal-', parameters('PlaybookName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-1": "[[variables('connection-1')]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('OAuthConnection')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"displayName": "OAuthConnection",
"parameterValues": {
"token:clientId": "[[parameters('clientId')]",
"token:clientSecret": "[[parameters('clientSecret')]",
"token:TenantId": "[[subscription().tenantId]",
"token:grantType": "client_credentials"
},
"api": {
"id": "[[variables('_connection-1')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"kind": "V1",
"properties": {
"displayName": "[[variables('AzureSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('VirusTotalConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]"
],
"tags": {
"hidden-SentinelTemplateName": "BlockIP-AzureFirewall-IPGroups",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Entities_-_Get_IPs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"For_each_Malicious_IP_Address_Entity_present_in_the_Incident": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Condition_to_check_malicious_IP_Address_to_block_": {
"actions": {
"Add_comment_to_incident_with_the_Virus_Total_report_and_the_action_taken_": {
"runAfter": {
"Creates_or_updates_an_ipGroups_in_a_specified_resource_group": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action:<br>\n<br>\nIP Address : &nbsp;</strong><strong>@{items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}</strong><strong><br>\n<br>\nGot Virus Total Report &nbsp;:<br>\n<br>\nCountry &nbsp;: &nbsp;</strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}</strong><strong><br>\nContinent :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}<br>\n<strong>ASN :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}<br>\n<strong>AS_Owner L</strong> : @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}<br>\n<br>\n<strong>Total Votes :</strong><br>\n<strong>&nbsp;<br>\n&nbsp;Malicious : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Positives Votes : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}<br>\n&nbsp;<strong>Negative Votes : </strong>&nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Suspicious Votes: </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}<br>\n<strong>&nbsp;Number of reports saying that is Undetected : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}<br>\n<strong>Network : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}<br>\n<strong><br>\nAction Taken in Azure Firewall<br>\n<br>\nAdded IP Address :</strong> &nbsp;@{items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']} <strong>to the IPGroup</strong><br>\n<strong><br>\n<br>\n<br>\n</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"description": "Add a comment to the incident with the Virus Total report and the action taken "
},
"Append_malicious_IP_Address_to_the_existing_IP_Address_List": {
"runAfter": {
"Assign_Existing_IP_Addresses": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddresses",
"value": "@items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']"
},
"description": "Append the Malicious IP Address to the variable IPAddresses"
},
"Assign_Existing_IP_Addresses": {
"runAfter": {
"Gets_the_specified_ipGroups": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "IPAddresses",
"value": "@body('Gets_the_specified_ipGroups')?['properties']?['ipAddresses']"
},
"description": "Variable to store the Existing IP Addresses"
},
"Creates_or_updates_an_ipGroups_in_a_specified_resource_group": {
"runAfter": {
"Append_malicious_IP_Address_to_the_existing_IP_Address_List": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"location": "@body('Gets_the_specified_ipGroups')?['location']",
"properties": {
"ipAddresses": "@variables('IPAddresses')"
},
"tags": {
"Configuration": "Sentinel"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "put",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['IPGroupSelectedVal'])}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Post the list of IP Addresses along with Malicious IP Address present in the Incident"
},
"Gets_the_specified_ipGroups": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['IPGroupSelectedVal'])}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Get all the IP Addresses present in the provided Resource group from Azure Firewall connector"
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_with_the_Virus_Total_report_and_the_action_taken_": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action:</strong><br>\n<br>\n<strong>IP Address :</strong> &nbsp;@{items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}<br>\n<br>\n<strong>Virus Total Report &nbsp;:</strong><br>\n<br>\n<strong>Country &nbsp;: </strong>&nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}<br>\n<strong>Continent :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}<br>\n<strong>ASN :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}<br>\n<strong>AS_Owner : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}<br>\n<br>\n<strong>Total Votes :</strong><br>\n&nbsp;<br>\n<strong>&nbsp;Malicious :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Positives Votes : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}<br>\n<strong>&nbsp;Negative Votes :</strong> &nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Suspicious Votes: </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}<br>\n<strong>&nbsp;Number of reports saying that is Undetected :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}<br>\n<strong>Network : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}<br>\n<br>\n<strong>Action Taken in Azure Firewall</strong><br>\n<br>\n<strong>Ignored to add IP Address : </strong>@{items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']} <strong>to the IPGroup</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']",
"OK"
]
}
]
},
"type": "If",
"description": "Condition to compare with the Action chosen to Block the IP Address or Ignore"
},
"Gets_all_IpGroups_in_a_resource_group": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Lists all the IP Groups present in the Resource Group"
},
"Ip_scan_report_V3": {
"runAfter": {
"Select_IPGroups_Choice_List_to_show_in_the_Adaptive_Card": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['virustotal']['connectionId']"
}
},
"method": "get",
"path": "/api/v3/ip_addresses/@{encodeURIComponent(items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address'])}"
},
"description": "Reports the input IP Address is Malicious "
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Ip_scan_report_V3": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious IP - Microsoft Sentinel\",\n \"wrap\": true\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n }, \n \n \n \n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"IP Address : @{items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Virus Total Report\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Country : @{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Continent : @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"ASN : @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"As_Owner : @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Total Votes : \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Malicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['malicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Positive Votes : @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']} \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Suspicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Number of reports saying that is Undetected : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Network : @{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"Close incident - False Positive\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"Close incident - True Positive\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Close incident - Benign Positive\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel incident severity?\"\n },\n {\n \"choices\": [\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n \n },\n {\n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n },\n{\n \"type\": \"TextBlock\",\n \"text\": \"Azure Firewall Actions\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATYAAACjCAMAAAA3vsLfAAAA6lBMVEX///8VZr/mIyP/c4GCEBCAHTODDgl6Dg7hIiL/dYOJERHsJCT/d4UAX713AADpLjHkGRblHRz7Z3TuQkg8WKUAYL19AAAAW7vk0tIAaMPzra3lCQn1WGLrHxWUS4TrNzv3X2qjbKP0+PwAV7r/w8nb5/Uca8HG1+3Q3vBKhsyct982ecbp8PiowuR5oda80OotcsSrxOWGAADeKDJWis2Hqtpol9Nzn9Zkk9EkcMNGgcozecfh7PeWsdtVS4txMll3Kkx8Iz5qOWp/GyyBFyMxX7PyTlYsTqHAusqwfKry5uaIICCjXl6zeXlTdqKmAAAGVUlEQVR4nO2dW1vjNhBAEbul0KKyoQiXdluo09jEMbGT5kZIltJ7d9v//3eqrFkgdhwriuWZcXQeeTDR+Ub3kbS3Z6kHod8bjtoxf8Jrj4PId6F/F2JavcktE5wLtsTHv3S6UQv692HEH8csLWxZHusE1twS1914nbJPSHPzEPq3YsHtTWUoKcK98TX0D8ZAGNwpO0tqKxv40D8aGjeIN5P2URyf7HbERRtG2rO47u62cbOJoyVtAWc30D8fiEAodJ75OJNdDLiwrR9qCcKLoAtROT7bKtQSmkPoYlTMvLm9NLaoqNAFqZRxOdZkz9DZnQbObesNO1YhvF2Zp7rT8qxJdsSb2y6hM9g5b6Vb2w1vg1JraMJt7Rd/uwasMdGGLpZhAhPW5DikC10wo0RmrMn5Qp0n9qFnyJqcL9S4WxiU3ok+M4UunDEMNWwJzhy6eIYITVqT3UJNq6nJKioR9aymUVmrHnk0a7lqaTbWFnRqOFkw2h8kODUcvF0Yt8ZYXLtwm5sPNhluAXQxS8atQJpkWrNw6227u6cGr1l2yLQSa0yMoAtaKq1qgk0ygy5qSbhhKxpWFGyyltaiUwilMc9xquhFE8QAushbEwYD5pifGyzjEa+l0SiT8l0FDuWJqRvcVh5nCYT7UnfIqmvN0pCdYN2o532bgOZqpR9XNkZbCcmJgjuClSa1EdxT8G9hOoIXEBy5DUEbtUdiaAsb4k4wWKOWRxN2UFgjNk9oeeDN2iOUDha1zKV3bIggNALBY43xHpnGDZE1yd1kGFHIuw9jLO1aghAOG8yxz7Jcw9kdWgjutAPUMdeFnlDlwcUQr7gbrNYkHO153Rm0mvVwpHP7KcKGbQnuIRzJVZLcsSX4zp22oJUowTvIJqoT7FU0QTBUFdWnYU0ietCuXlBZlsL2IMpzMHYYyAQcTY4qoWBjeOqpTynYGJqlOIxT+LWgOOccIp6MrkZgSO69IVZHGY7zunfQEjTg4IlcM9OHqIzgQVdTgnVUIqCrKbl+NAH63Cm5fjQB+PaLa6LaGAfdtq/gpKMZYFO5RjSbNgbculEctSWAdqZUmzaJgLPWIjnYTQA88xFRjja4m0B7VDvSBRxMG9nxxwIHbOhGYVs5F7jtmCHZYdsCsAkW6WhjDEob6baNNaHStyq6osIQYCM3n7Q2sK1myrMEwHOALmltAizjLYYu+jaIMZS2MeWBG9xNBKRHIHBLbpSXQACPhpPuEwBzBGklty3D4VLdKDducCtHygPeiypu89zwPzUBM0EUf+K7+4fPKuHh/p2qNg/OmuL9Fb/0+wcV0e8//KFkDXSHeaYwBLn4tf+6Qvr3SvUUNtle5RGh3w6q1Hbwu1K4NUHTQBSOJZxVKU3SP1MJN8D95QXFNwucJcH2eTFfFaPwlfOziwUF1oDvxitOqEy0fbF/WETj6FURxyeFXzk8/Fly8sN6b9A3MbqF+TOP2r7cL+LN8VERxyeFX5E0Go3vC7QB11GF1m0DbQrRpqJNUqANbo3yiaKJKUZtCB53KjpQilAbiovxCh7lQ6gNNnf3EXf9ngI+bSiCrahXQKgNQ7DtFVRTdNowHFZLWHeBCjpteK6uXPcQJDZtDpKD3wuu86spMm0cbFt5Fb3c9XFc2gSyh9dyveHShu6e9jxvqLTBH13OEKz2hkkbnvtTXrD6oAIibUifqvPZivFbnrZGmu8y2o6O0+Roy35rlTa0rwy37rIBl6Ot8edpmvTq7tHVZZoca5lvXf2Y1Yayhia4o4y3PG1vM4u5mWB721Crktlvvcpqw3K/0Wp66QvZc7UVbh1soC3zrbQ2HiOZv+cxG3B82vgI1yh3Fb2Y49ImPNQV9BPu/MUzV+DaBB/jD7WEsPv01BW0NmeKvFVbwr3xktfoQLUJZ4rjorsNiCZNR1zAaROOM6IUac9EI/4XjDbuOAMSHUEOf59DaPtnSK5yLvMNhLbTn6CLvS1WmxZWmxZWmxZWmxZWmxa52jJLt1ltb9KrtjnarjKfqqu2/cuv02RWd0+v0uQsime+dfktdLG3JU9bZgMguwWjnrub2Uuor7Y0Ze5cWW1Wm9WmjtWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmxfsPB1abBv+eW20avH99brVp4P73oWba/ge1KiK0SUpzWQAAAABJRU5ErkJggg==\",\n \"size\": \"Small\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.ShowCard\",\n \"title\": \"Add this IP Address to the IP Group\",\n \"card\": {\n \"type\": \"AdaptiveCard\",\n \"body\":[\n {\n \"type\": \"TextBlock\",\n \"text\": \"Select an IP Group : \"\n },\n {\n \"type\": \"Input.ChoiceSet\",\n \"id\": \"IPGroupSelectedVal\", \n \"value\": \"1\",\n \"choices\": @{body('Select_IPGroups_Choice_List_to_show_in_the_Adaptive_Card')}\n }\n \n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n }\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}\n",
"recipient": {
"channelId": "[[parameters('Teams ChannelId')]"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "[[parameters('Teams GroupId')]"
}
}
},
"Select_IPGroups_Choice_List_to_show_in_the_Adaptive_Card": {
"runAfter": {
"Gets_all_IpGroups_in_a_resource_group": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Gets_all_IpGroups_in_a_resource_group')?['value']",
"select": {
"title": "@item()?['name']",
"value": "@item()?['name']"
}
},
"description": "Prepare IP Groups Choice list to show in the Adaptive Card"
}
},
"runAfter": {
"List_-_IP_Groups_present_with_in_the_Resource_Group": [
"Succeeded"
]
},
"type": "Foreach"
},
"List_-_IP_Groups_present_with_in_the_Resource_Group": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IPAddresses",
"type": "array"
}
]
},
"description": "Variable to assign IP Groups present with in the Resource Group"
}
}
},
"parameters": {
"$connections": {
"value": {
"AzureFirewallConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"connectionName": "[[variables('OAuthConnection')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[[variables('AzureSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
},
"virustotal": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]",
"connectionName": "[[variables('VirusTotalConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]"
}
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId2')]",
"contentId": "[variables('_playbookContentId2')]",
"kind": "Playbook",
"version": "[variables('playbookVersion2')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_AzureFirewallConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"title": "Block IP - Azure Firewall IP groups",
"description": "This playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows using the same IP group for multiple firewalls. [Learn more about IP Groups in Azure Firewall](https://docs.microsoft.com/azure/firewall/ip-groups)",
"mainSteps:": [
"When a new Sentinel incident is created:",
"1. An adaptive card is sent to the SOC channel providing IP address, Virus Total report, showing list of existing firewalls in the Resource group and providing an option to add IP Address to IPGroups or Ignore.",
"2. If SOC user confirms yes, the IP Address gets added to IPGroups under IPAddress section and incident will get updates with endpoint information, summary of the action taken and virus total scan report.",
"3. Else, incident will get updates with endpoint information and summary of the action taken."
],
"prerequisites": [
"1. Create IP Groups and attach them to Azure Firewall rules.",
"2. Create a Service Principal which the Azure Firewall connector will use, and grant Contributor permissions to it on the IP groups.",
"3. Deploy Azure Firewall Logic Apps custom connector under the same resource group (see link below).",
"4. To use VirusTotal connector in this playbook, get your [Virus Total API key](https://developers.virustotal.com/v3.0/reference#getting-started). Otherwise, erase these steps or replace them with other TI sources."
],
"lastUpdateTime": "2021-07-28T00:00:00Z",
"entities": [
"Ip"
],
"tags": [
"Remediation",
"Response from teams"
],
"source": {
"type": "solution",
"name": "Azure Firewall"
},
"postDeployment": [
"**a. Authorize connections**",
"Once deployment is complete, you will need to authorize each connection.",
"1. Click the Microsoft Sentinel connection resource",
"2. Click edit API connection",
"3. Click Authorize",
"4. Sign in",
"5. Click Save",
"6. Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)",
"7. Authorize the Azure Firewall custom connector by following the below mentioned steps.",
"a. Navigate to playbook",
"b. Click Edit",
"c. Find the action with the name 'Lists all Azure Firewalls in a resource group', 'Gets the specified Azure Firewall', 'Creates or updates the specified Azure Firewall', 'Updates tags for Azure Firewall resource' in the workflow.",
"d. Click Change connection [ Enter Connection name, ClientId, SecretKey and TenantId captured from Microsoft Entra ID. ]",
"**b. Configurations in Sentinel",
"1. In Microsoft Sentinel analytical rules should be configured to trigger an incident with IP Entity.",
"2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": [
{
"version": "1.0.0",
"title": "Block IP - Azure Firewall IP groups",
"notes": [
"Initial version"
]
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId2')]",
"contentKind": "Playbook",
"displayName": "AzureFirewall-BlockIP-addToIPGroup",
"contentProductId": "[variables('_playbookcontentProductId2')]",
"id": "[variables('_playbookcontentProductId2')]",
"version": "[variables('playbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewall-AddIPtoTIAllowList Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
"defaultValue": "AzureFirewall-AddIPtoTIAllowList",
"type": "String",
"metadata": {
"description": "Name of the Logic App or Playbook"
}
},
"CustomConnectorName": {
"defaultValue": "AzureFirewallConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector which interacts with Azure Firewall. Cannot contain spaces."
}
},
"Teams GroupId": {
"defaultValue": "TeamgroupId",
"type": "String",
"metadata": {
"description": "GroupId of the Team channel"
}
},
"Teams ChannelId": {
"defaultValue": "TeamChannelId",
"type": "String",
"metadata": {
"description": "Team ChannelId"
}
},
"clientId": {
"defaultValue": "<enter the ClientId of the application>",
"type": "string"
},
"clientSecret": {
"defaultValue": "<enter the Client secret of the application>",
"type": "securestring"
}
},
"variables": {
"OAuthConnection": "[[concat('OAuthConnection-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[[concat('VirusTotal-', parameters('PlaybookName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-1": "[[variables('connection-1')]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('OAuthConnection')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"displayName": "OAuthConnection",
"parameterValues": {
"token:clientId": "[[parameters('clientId')]",
"token:clientSecret": "[[parameters('clientSecret')]",
"token:TenantId": "[[subscription().tenantId]",
"token:grantType": "client_credentials"
},
"api": {
"id": "[[variables('_connection-1')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('VirusTotalConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Each_malicious_IP_Address_Entity_present_in_the_Incident": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Condition_-_Add_IP_Address_to_threat_intel_Allow_list_or_Ignore": {
"actions": {
"Add_comment_to_incident_with_the_endpoint_information_and_action_taken": {
"runAfter": {
"Creates_or_updates_the_specified_Firewall_Policy": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action:<br>\n<br>\nIP Address : &nbsp;</strong><strong>@{items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}</strong><strong><br>\n<br>\nGot Virus Total Report &nbsp;:<br>\n<br>\nCountry &nbsp;: &nbsp;</strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}</strong><strong><br>\nContinent : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}</strong><strong><br>\nASN : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}</strong><strong><br>\nAS_Owner L : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}</strong><strong><br>\n<br>\nTotal Votes :<br>\n&nbsp;<br>\n&nbsp;Malicious : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}</strong><strong><br>\n&nbsp;Positives Votes : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}</strong><strong><br>\n&nbsp;Negative Votes : &nbsp;</strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}</strong><strong><br>\n&nbsp;Suspicious Votes: </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}</strong><strong><br>\n&nbsp;Number of reports saying that is Undetected : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}</strong><strong><br>\nNetwork : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}</strong><strong><br>\n<br>\nAction Taken in Azure Firewall<br>\n<br>\nAdded IP Address to the Firewall Policy Name : </strong><strong></strong><strong><br>\n<br>\n</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"description": "Provide end point information and action taken in the incident information message"
},
"Append_-_IP_Address_to_Threat_intel_allow_list": {
"runAfter": {
"Assign_Threat_intel_allow_list_values": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "IP Array",
"value": "@items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address']"
},
"description": "Append IP Address to the Threat intel allow list"
},
"Assign_Threat_intel_allow_list_values": {
"runAfter": {
"Gets_the_specified_Firewall_Policy": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "IP Array",
"value": "@body('Gets_the_specified_Firewall_Policy')?['properties']?['threatIntelWhitelist']?['ipAddresses']"
},
"description": "Variable to store the list of existing IP Addresses"
},
"Creates_or_updates_the_specified_Firewall_Policy": {
"runAfter": {
"Append_-_IP_Address_to_Threat_intel_allow_list": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"location": "@body('Gets_the_specified_Firewall_Policy')?['location']",
"properties": {
"threatIntelWhitelist": {
"ipAddresses": "@variables('IP Array')"
}
},
"tags": {
"Configuration": "Sentinel"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "put",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/firewallPolicies/@{encodeURIComponent(outputs('Firewall_policy_name'))}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Post the list of IP Addresses along with IP Address present from the Incident"
},
"Firewall_policy_name": {
"runAfter": {
"Resource_Group_name": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@trim(split(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['FirewallPolicySelectedVal'],'::')?[1])",
"description": "Reading the firewall policy name from the SOC selected"
},
"Gets_the_specified_Firewall_Policy": {
"runAfter": {
"Firewall_policy_name": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/firewallPolicies/@{encodeURIComponent(outputs('Firewall_policy_name'))}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Get firewall policy information based on the SOC selection"
},
"Resource_Group_name": {
"type": "Compose",
"inputs": "@trim(split(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['FirewallPolicySelectedVal'],'::')?[0])",
"description": "Reading the resource group name from the SOC selected"
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_with_the_endpoint_information_and_action_taken": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action:</strong><br>\n<br>\n<strong>IP Address : </strong>&nbsp;@{items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}<br>\n<strong><br>\nVirus Total Report &nbsp;:</strong><br>\n<br>\n<strong>Country &nbsp;: </strong>&nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}<br>\n<strong>Continent :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}<br>\n<strong>ASN : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}<br>\n<strong>AS_Owner :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}<br>\n<strong><br>\nTotal Votes :</strong><br>\n&nbsp;<br>\n<strong>&nbsp;Malicious :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Positives Votes : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}</strong><strong><br>\n&nbsp;Negative Votes : </strong>&nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Suspicious Votes : </strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}<br>\n<strong>&nbsp;Number of reports saying that is Undetected :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}<br>\n<strong>Network :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}<br>\n<br>\n<strong>Action Taken in Azure Firewall</strong><br>\n<br>\n<strong>Ignored to add IP Address to the Firewall Policy</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']",
"OK"
]
}
]
},
"type": "If"
},
"Gets_all_the_Firewall_Policies_in_a_subscription": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/providers/Microsoft.Network/firewallPolicies",
"queries": {
"api-version": "2020-07-01"
}
}
},
"Ip_scan_report_V3": {
"runAfter": {
"Select_Firewall_Policies_Choice_List_to_show_in_the_Adaptive_Card": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['virustotal']['connectionId']"
}
},
"method": "get",
"path": "/api/v3/ip_addresses/@{encodeURIComponent(items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address'])}"
}
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Ip_scan_report_V3": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious IP - Microsoft Sentinel\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"TextBlock\",\n \"text\": \"IP Address : @{items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Virus Total Report\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Country : @{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Continent : @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"ASN : @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"As_Owner : @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Total Votes : \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Malicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['malicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Positive Votes : @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']} \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Suspicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Number of reports saying that is Undetected : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Network : @{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}\",\n \"wrap\": true\n },\n \n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Azure Firewall Actions\",\n \n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATYAAACjCAMAAAA3vsLfAAAA6lBMVEX///8VZr/mIyP/c4GCEBCAHTODDgl6Dg7hIiL/dYOJERHsJCT/d4UAX713AADpLjHkGRblHRz7Z3TuQkg8WKUAYL19AAAAW7vk0tIAaMPzra3lCQn1WGLrHxWUS4TrNzv3X2qjbKP0+PwAV7r/w8nb5/Uca8HG1+3Q3vBKhsyct982ecbp8PiowuR5oda80OotcsSrxOWGAADeKDJWis2Hqtpol9Nzn9Zkk9EkcMNGgcozecfh7PeWsdtVS4txMll3Kkx8Iz5qOWp/GyyBFyMxX7PyTlYsTqHAusqwfKry5uaIICCjXl6zeXlTdqKmAAAGVUlEQVR4nO2dW1vjNhBAEbul0KKyoQiXdluo09jEMbGT5kZIltJ7d9v//3eqrFkgdhwriuWZcXQeeTDR+Ub3kbS3Z6kHod8bjtoxf8Jrj4PId6F/F2JavcktE5wLtsTHv3S6UQv692HEH8csLWxZHusE1twS1914nbJPSHPzEPq3YsHtTWUoKcK98TX0D8ZAGNwpO0tqKxv40D8aGjeIN5P2URyf7HbERRtG2rO47u62cbOJoyVtAWc30D8fiEAodJ75OJNdDLiwrR9qCcKLoAtROT7bKtQSmkPoYlTMvLm9NLaoqNAFqZRxOdZkz9DZnQbObesNO1YhvF2Zp7rT8qxJdsSb2y6hM9g5b6Vb2w1vg1JraMJt7Rd/uwasMdGGLpZhAhPW5DikC10wo0RmrMn5Qp0n9qFnyJqcL9S4WxiU3ok+M4UunDEMNWwJzhy6eIYITVqT3UJNq6nJKioR9aymUVmrHnk0a7lqaTbWFnRqOFkw2h8kODUcvF0Yt8ZYXLtwm5sPNhluAXQxS8atQJpkWrNw6227u6cGr1l2yLQSa0yMoAtaKq1qgk0ygy5qSbhhKxpWFGyyltaiUwilMc9xquhFE8QAushbEwYD5pifGyzjEa+l0SiT8l0FDuWJqRvcVh5nCYT7UnfIqmvN0pCdYN2o532bgOZqpR9XNkZbCcmJgjuClSa1EdxT8G9hOoIXEBy5DUEbtUdiaAsb4k4wWKOWRxN2UFgjNk9oeeDN2iOUDha1zKV3bIggNALBY43xHpnGDZE1yd1kGFHIuw9jLO1aghAOG8yxz7Jcw9kdWgjutAPUMdeFnlDlwcUQr7gbrNYkHO153Rm0mvVwpHP7KcKGbQnuIRzJVZLcsSX4zp22oJUowTvIJqoT7FU0QTBUFdWnYU0ietCuXlBZlsL2IMpzMHYYyAQcTY4qoWBjeOqpTynYGJqlOIxT+LWgOOccIp6MrkZgSO69IVZHGY7zunfQEjTg4IlcM9OHqIzgQVdTgnVUIqCrKbl+NAH63Cm5fjQB+PaLa6LaGAfdtq/gpKMZYFO5RjSbNgbculEctSWAdqZUmzaJgLPWIjnYTQA88xFRjja4m0B7VDvSBRxMG9nxxwIHbOhGYVs5F7jtmCHZYdsCsAkW6WhjDEob6baNNaHStyq6osIQYCM3n7Q2sK1myrMEwHOALmltAizjLYYu+jaIMZS2MeWBG9xNBKRHIHBLbpSXQACPhpPuEwBzBGklty3D4VLdKDducCtHygPeiypu89zwPzUBM0EUf+K7+4fPKuHh/p2qNg/OmuL9Fb/0+wcV0e8//KFkDXSHeaYwBLn4tf+6Qvr3SvUUNtle5RGh3w6q1Hbwu1K4NUHTQBSOJZxVKU3SP1MJN8D95QXFNwucJcH2eTFfFaPwlfOziwUF1oDvxitOqEy0fbF/WETj6FURxyeFXzk8/Fly8sN6b9A3MbqF+TOP2r7cL+LN8VERxyeFX5E0Go3vC7QB11GF1m0DbQrRpqJNUqANbo3yiaKJKUZtCB53KjpQilAbiovxCh7lQ6gNNnf3EXf9ngI+bSiCrahXQKgNQ7DtFVRTdNowHFZLWHeBCjpteK6uXPcQJDZtDpKD3wuu86spMm0cbFt5Fb3c9XFc2gSyh9dyveHShu6e9jxvqLTBH13OEKz2hkkbnvtTXrD6oAIibUifqvPZivFbnrZGmu8y2o6O0+Roy35rlTa0rwy37rIBl6Ot8edpmvTq7tHVZZoca5lvXf2Y1Yayhia4o4y3PG1vM4u5mWB721Crktlvvcpqw3K/0Wp66QvZc7UVbh1soC3zrbQ2HiOZv+cxG3B82vgI1yh3Fb2Y49ImPNQV9BPu/MUzV+DaBB/jD7WEsPv01BW0NmeKvFVbwr3xktfoQLUJZ4rjorsNiCZNR1zAaROOM6IUac9EI/4XjDbuOAMSHUEOf59DaPtnSK5yLvMNhLbTn6CLvS1WmxZWmxZWmxZWmxZWmxa52jJLt1ltb9KrtjnarjKfqqu2/cuv02RWd0+v0uQsime+dfktdLG3JU9bZgMguwWjnrub2Uuor7Y0Ze5cWW1Wm9WmjtWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmxfsPB1abBv+eW20avH99brVp4P73oWba/ge1KiK0SUpzWQAAAABJRU5ErkJggg==\",\n \"size\": \"Small\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.ShowCard\",\n \"title\": \"Add IP address to threat intel allow list\",\n \"card\": {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"text\": \"Select a Firewall Policy: \n \n(Resource Group - Firewall Policy name)\"\n },\n { \n \"type\": \"Input.ChoiceSet\",\n \"id\": \"FirewallPolicySelectedVal\",\n \"label\": \"Please select Firewall name and Rules name\",\n \"style\": \"compact\",\n \"isRequired\": true,\n \"errorMessage\": \"This is a required input\",\n \"placeholder\": \"Please choose\",\n \"choices\": @{body('Select_Firewall_Policies_Choice_List_to_show_in_the_Adaptive_Card')}\n }\n\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n } \n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\":\"1.2\"\n }\n\n },\n {\n \"type\":\"Action.Submit\",\n \"title\":\"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}\n",
"recipient": {
"channelId": "[[parameters('Teams ChannelId')]"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "[[parameters('Teams GroupId')]"
}
}
},
"Select_Firewall_Policies_Choice_List_to_show_in_the_Adaptive_Card": {
"runAfter": {
"Gets_all_the_Firewall_Policies_in_a_subscription": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Gets_all_the_Firewall_Policies_in_a_subscription')?['value']",
"select": {
"title": " @{split(item()?['id'],'/')?[4]} @{item()?['name']}",
"value": "@{split(item()?['id'],'/')?[4]} ::@{item()?['name']}"
}
},
"description": "Prepare Firewall Policies Choice list to show in the Adaptive Card"
}
},
"runAfter": {
"List_-_Threat_intel_IP_Address_allow_list_from_the_Resource_Group": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Post an Adaptive Card to each IP Address and add it to threat intel allow list based on Action"
},
"Entities_-_Get_IPs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"List_-_Threat_intel_IP_Address_allow_list_from_the_Resource_Group": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IP Array",
"type": "array"
}
]
},
"description": "Variable to store the List of existing Threat Intel allowed IP Addresses"
}
}
},
"parameters": {
"$connections": {
"value": {
"AzureFirewallConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"connectionName": "[[variables('OAuthConnection')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[[variables('AzureSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
},
"virustotal": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]",
"connectionName": "[[variables('VirusTotalConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]"
}
}
}
}
},
"tags": {
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId3')]",
"contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
"version": "[variables('playbookVersion3')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_AzureFirewallConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"title": "Azure Firewall - Add IP Address to Threat Intel Allow list",
"description": "This playbook allows the SOC to automatically response to Microsoft Sentinel incidents which includes IPs, by adding the IPs to the TI Allow list in Azure Firewall Policy.",
"mainSteps:": [
"When a new Sentinel incident is created:",
"1. An adaptive card is sent to the SOC channel, providing IP address, Virus Total report , showing list of existing firewalls in the Resource group and providing an option to block IP Address to Deny network rules collection or Ignore.",
"2. If SOC user confirms yes, the IP Address gets added to deny network rules collection and incident will get updates with endpoint information, summary of the action taken and virus total scan report.",
"3. Else, incident will get updates with endpoint information and summary of the action taken."
],
"prerequisites": [
"**This playbook template is based on Microsoft Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.",
"1. Azure Firewall connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.",
"2. Azure Firewall connector need to be authenticated with a Service Principal that has permissions over Azure Firewall. Relevant instructions can be found in the connector doc page.",
"3. This playbook will add new rules to existing Network Collections in Azure Firewalls in your subscription. Make sure you have such prior to running the playbook.",
"4.To use VirusTotal connector, get your Virus Totan API key. [ how to generate the API Key](https://developers.virustotal.com/v3.0/reference#getting-started)"
],
"postDeployment": [
"**a. Authorize connections**",
"Once deployment is complete, you will need to authorize each connection.",
"1. Click the Microsoft Sentinel connection resource",
"2. Click edit API connection",
"3. Click Authorize",
"4. Sign in",
"5. Click Save",
"6. Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)",
"7. Authorize the Azure Firewall custom connector by following the below mentioned steps:",
"a. Navigate to playbook",
"b. Click Edit",
"c. Find the action with the name 'Lists all Azure Firewalls in a resource group', 'Gets the specified Firewall Policy', 'Creates or updates the specified Firewall Policy' in the workflow.",
"d. Click Change connection -- Enter Connection name, ClientId, SecretKey and TenantId captured from Microsoft Entra ID.",
"**b. Configurations in Sentinel**",
"1. In Microsoft Sentinel analytical rules should be configured to trigger an incident with IP Entity.",
"2. Configure the automation rules to trigger this playbook"
],
"lastUpdateTime": "2022-05-24T00:00:00Z",
"entities": [
"Ip"
],
"releaseNotes": [
{
"version": "1.0.0",
"title": "Azure Firewall - Add IP Address to Threat Intel Allow list",
"notes": [
"Initial version"
]
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
"displayName": "AzureFirewall-AddIPtoTIAllowList",
"contentProductId": "[variables('_playbookcontentProductId3')]",
"id": "[variables('_playbookcontentProductId3')]",
"version": "[variables('playbookVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureFirewall-BlockIP-addNewRule Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
"defaultValue": "AzureFirewall-BlockIP-addNewRule",
"type": "string",
"metadata": {
"description": "Name of the Logic App or Playbook"
}
},
"CustomConnectorName": {
"defaultValue": "AzureFirewallConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector which interacts with Azure Firewall. Cannot contain spaces."
}
},
"Teams GroupId": {
"defaultValue": "TeamgroupId",
"type": "String",
"metadata": {
"description": "GroupId of the Team channel"
}
},
"Teams ChannelId": {
"defaultValue": "TeamChannelId",
"type": "String",
"metadata": {
"description": "Team ChannelId"
}
},
"clientId": {
"defaultValue": "<enter the ClientId of the application>",
"type": "string"
},
"clientSecret": {
"defaultValue": "<enter the Client secret of the application>",
"type": "securestring"
}
},
"variables": {
"OAuthConnection": "[[concat('OAuthConnection-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[[concat('VirusTotal-', parameters('PlaybookName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-1": "[[variables('connection-1')]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('OAuthConnection')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"displayName": "OAuthConnection",
"parameterValues": {
"token:clientId": "[[parameters('clientId')]",
"token:clientSecret": "[[parameters('clientSecret')]",
"token:TenantId": "[[subscription().tenantId]",
"token:grantType": "client_credentials"
},
"api": {
"id": "[[variables('_connection-1')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('VirusTotalConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]"
],
"properties": {
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Entities_-_Get_IPs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"FinalRuleCollectionList": {
"runAfter": {
"RulecollectionFilteredArray": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "FinalRuleCollectionList",
"type": "array"
}
]
},
"description": "Variable to store the entire Network Rules collection"
},
"For_each_Firewall": {
"foreach": "@body('Gets_all_the_Azure_Firewalls_in_a_subscription')?['value']",
"actions": {
"Choice_list_-_Firewall_and_Rule_collection": {
"foreach": "@body('Select_Firewall_and_Rules_collection_name')",
"actions": {
"Condition": {
"actions": {
"Append_to_choice_list": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "FirewallsList",
"value": "@item()"
},
"description": "Append prepared Firewall and Rules collection list"
}
},
"expression": {
"and": [
{
"equals": [
"@item()?['action']",
"Deny"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Select_Firewall_and_Rules_collection_name": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Prepare a choice list using the above formatted Output."
},
"Select_Firewall_and_Rules_collection_name": {
"type": "Select",
"inputs": {
"from": "@items('For_each_Firewall')?['properties']?['networkRuleCollections']",
"select": {
"action": "@item()?['properties']?['action']?['type']",
"title": "@{split(items('For_each_firewall')?['id'],'/')?[4]} @{items('For_each_Firewall')?['name']} @{item()?['name']}",
"value": "@{split(items('For_each_firewall')?['id'],'/')?[4]}::@{items('For_each_Firewall')?['name']}::@{item()?['name']}"
}
},
"description": "Select Firewall name and Rule collection name from the Azure Firewall response"
}
},
"runAfter": {
"Gets_all_the_Azure_Firewalls_in_a_subscription": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Iterate over each Firewall present from the Resource Group and Prepare a Firewall - Rules collection choice list to show in the Adaptive Card"
},
"For_each_IP_Address_Entity_from_Incident": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Add_IP_address_to_the_firewall_network_rules_list_based_on_SOC_choice": {
"actions": {
"Compose": {
"type": "Compose",
"inputs": "@split(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['FirewallRulesSelectedVal'],',')",
"description": "Preparing an Array with SOC selected Firewall Options"
},
"For_each_rules_collection_selected_from_Adaptive_Card": {
"foreach": "@outputs('Compose')",
"actions": {
"Add_comment_to_incident_with_the_endpoint_info_and_action_taken": {
"runAfter": {
"Creates_or_updates_the_specified_Azure_Firewall": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action :-<br>\n<br>\nIP Address : &nbsp;</strong><strong>@{items('For_each_IP_Address_Entity_from_Incident')?['Address']}</strong><strong><br>\n<br>\nVirus Total Report &nbsp;:<br>\n<br>\nCountry &nbsp;: &nbsp;</strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}</strong><strong><br>\nContinent : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}</strong><strong><br>\nASN : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}</strong><strong><br>\nAS_Owner : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}</strong><strong><br>\n<br>\nTotal Votes :-<br>\n&nbsp;<br>\n&nbsp;Malicious : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}</strong><strong><br>\n&nbsp;Positives Votes : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}</strong><strong><br>\n&nbsp;Negative Votes : &nbsp;</strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}</strong><strong><br>\n&nbsp;Suspicious Votes: </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}</strong><strong><br>\n&nbsp;Number of reports saying that is Undetected : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}</strong><strong><br>\nNetwork : </strong><strong>@{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}</strong><strong><br>\n<br>\nAction Taken In Azure Firewall :-<br>\n<br>\nAdded IP Address </strong><strong>@{items('For_each_IP_Address_Entity_from_Incident')?['Address']}</strong><strong> to the below Azure Firewall Configuration :-<br>\n<br>\nFirewall name : </strong><strong></strong><strong><br>\nRule Collection name : </strong><strong></strong><strong><br>\nRule name : </strong><strong></strong><strong><br>\n<br>\n</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Assign_Rule": {
"runAfter": {
"Assign_selected_Rules_present_from_Network_rules_collection": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Rule",
"value": [
{
"description": "Block traffic based on source IPs and ports",
"destinationAddresses": [
"*"
],
"destinationPorts": [
"*"
],
"name": "@concat('Rule',utcNow('yyyy-MM-ddTHH:mm:ssZ'))",
"protocols": [
"Any"
],
"sourceAddresses": [
"@items('For_each_IP_Address_Entity_from_Incident')?['Address']"
]
}
]
},
"description": "Variable to store the new rule with malicious IP Address reported"
},
"Assign_selected_Rules_present_from_Network_rules_collection": {
"runAfter": {
"Excluded_selected_rules_collection_list_from_Adaptive_Card": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "RulecollectionFilteredArray",
"value": "@body('Filter_Network_rule_collection')[0]?['properties']?['rules']"
},
"description": "Variable to store the rules present in the selected network rules collection"
},
"Creates_or_updates_the_specified_Azure_Firewall": {
"runAfter": {
"Final_Network_rules_collection_list": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"location": "@body('Gets_the_specified_Azure_Firewall')?['location']",
"properties": {
"networkRuleCollections": "@variables('FinalRuleCollectionList')"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "put",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/azureFirewalls/@{encodeURIComponent(outputs('Firewall_name'))}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Create a rule with in the specified Azure firewall"
},
"Excluded_selected_rules_collection_list_from_Adaptive_Card": {
"runAfter": {
"Filter_network_collections_list_excluding_selected_rules_collection": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "FinalRuleCollectionList",
"value": "@body('Filter_network_collections_list_excluding_selected_rules_collection')"
},
"description": "Variable to store the above filtered collection"
},
"Filter_Network_rule_collection": {
"runAfter": {
"Store_Existing_Rule_collection_information": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('RulecollectionArray')",
"where": "@equals(item()?['name'], trim(split(items('For_each_rules_collection_selected_from_Adaptive_Card'), '::')?[2]))"
},
"description": "Filter the network rule collection information based on the network rule collection selected in the Adaptive Card"
},
"Filter_network_collections_list_excluding_selected_rules_collection": {
"runAfter": {
"Filter_Network_rule_collection": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('RulecollectionArray')",
"where": "@not(equals(item()?['name'], trim(split(items('For_each_rules_collection_selected_from_Adaptive_Card'), '::')?[2])))"
},
"description": "Filter the network collection list by excluding the selected rules collection"
},
"Final_Network_rules_collection_list": {
"runAfter": {
"Set_property_to_update_the_properties_with_in_the_selected_rules_collection_list": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "FinalRuleCollectionList",
"value": "@outputs('Set_property_to_update_the_properties_with_in_the_selected_rules_collection_list')"
},
"description": "Append the selected rules collection list "
},
"Firewall_name": {
"type": "Compose",
"inputs": "@trim(split(items('For_each_rules_collection_selected_from_Adaptive_Card'),'::')?[1])",
"description": "Reading the firewall name from the SOC selected Firewall Rule collection"
},
"Gets_the_specified_Azure_Firewall": {
"runAfter": {
"Resource_Group_name": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/azureFirewalls/@{encodeURIComponent(outputs('Firewall_name'))}",
"queries": {
"api-version": "2020-07-01"
}
},
"description": "Gets the specified Azure Firewall information from the Azure Firewall Connector"
},
"Join_the_New_Rule_to_the_selected_Rules_collection": {
"runAfter": {
"Assign_Rule": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@union(variables('RuleCollectionFilteredArray'),variables('Rule'))",
"description": "Append the new rule to the filtered rule collection list which is selected in the Adaptive Card"
},
"Resource_Group_name": {
"runAfter": {
"Firewall_name": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@trim(split(items('For_each_rules_collection_selected_from_Adaptive_Card'),'::')?[0])",
"description": "Reading the resource group name from the SOC selected Firewall Rule collection"
},
"Set_property_to_update_the_properties_with_in_the_selected_rules_collection_list": {
"runAfter": {
"Set_property_to_update_the_rules_list_with_in_the_selected_rules_collection_list": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@setProperty(body('Filter_Network_rule_collection')?[0],'properties',outputs('Set_property_to_update_the_rules_list_with_in_the_selected_rules_collection_list'))",
"description": "Update the existing network rules collection with the composed new rule collection list"
},
"Set_property_to_update_the_rules_list_with_in_the_selected_rules_collection_list": {
"runAfter": {
"Join_the_New_Rule_to_the_selected_Rules_collection": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@setProperty(body('Filter_Network_rule_collection')?[0]?['properties'],'rules',outputs('Join_the_New_Rule_to_the_selected_Rules_collection'))",
"description": "Update the existing rules list with the composed new rules list"
},
"Store_Existing_Rule_collection_information": {
"runAfter": {
"Gets_the_specified_Azure_Firewall": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "RulecollectionArray",
"value": "@body('Gets_the_specified_Azure_Firewall')?['properties']?['networkRuleCollections']"
},
"description": "Array to Store the existing rule collection information for the selected firewall"
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_with_the_endpoint_info_and_action_taken": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Compose": [
"Succeeded"
]
},
"type": "Foreach",
"description": "Add a new rule to the each Rules collection selected from Adaptive Card"
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure Firewall Playbook performed the following action :-</strong><br>\n<br>\n<strong>IP Address :</strong> &nbsp;@{items('For_each_IP_Address_Entity_from_Incident')?['Address']}<br>\n<br>\n<strong>Virus Total Report &nbsp;:</strong><br>\n<br>\n<strong>Country &nbsp;: </strong>&nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}<br>\n<strong>Continent :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}<br>\n<strong>ASN :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}<br>\n<strong>AS_Owner :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}<br>\n<br>\n<strong>Total Votes :-</strong><br>\n&nbsp;<br>\n<strong>&nbsp;Malicious :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Positives Votes :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']}<br>\n<strong>&nbsp;Negative Votes :</strong> &nbsp;@{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['malicious']}<br>\n<strong>&nbsp;Suspicious Votes :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}<br>\n<strong>&nbsp;Number of reports saying that is Undetected :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}<br>\n<strong>Network :</strong> @{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}<br>\n<br>\n<strong>Action Taken In Azure Firewall :-<br>\n<br>\nIgnored to Add IP Address : </strong><strong>@{items('For_each_IP_Address_Entity_from_Incident')?['Address']}</strong><strong> to the Network Rules collection.</strong></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']",
"OK"
]
}
]
},
"type": "If",
"description": "Condition - Add the IP address to the Firewall rule collection list or Ignore"
},
"Ip_scan_report_V3": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['virustotal']['connectionId']"
}
},
"method": "get",
"path": "/api/v3/ip_addresses/@{encodeURIComponent(items('For_each_IP_Address_Entity_from_Incident')?['Address'])}"
}
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Ip_scan_report_V3": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious IP - Microsoft Sentinel\",\n \"wrap\": true\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"IP Address : @{items('For_each_IP_Address_Entity_from_Incident')?['Address']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n\n },\n{\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Virus Total Report\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Country : @{body('Ip_scan_report_V3')?['data']?['attributes']?['country']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Continent : @{body('Ip_scan_report_V3')?['data']?['attributes']?['continent']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"ASN : @{body('Ip_scan_report_V3')?['data']?['attributes']?['asn']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"As_Owner : @{body('Ip_scan_report_V3')?['data']?['attributes']?['as_owner']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"bolder\",\n \"text\": \"Total Votes : \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Malicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['malicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Positive Votes : @{body('Ip_scan_report_V3')?['data']?['attributes']?['total_votes']?['harmless']} \",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Suspicious : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Number of reports saying that is Undetected : @{body('Ip_scan_report_V3')?['data']?['attributes']?['last_analysis_stats']?['undetected']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Network : @{body('Ip_scan_report_V3')?['data']?['attributes']?['network']}\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Azure Firewall Actions\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATYAAACjCAMAAAA3vsLfAAAA6lBMVEX///8VZr/mIyP/c4GCEBCAHTODDgl6Dg7hIiL/dYOJERHsJCT/d4UAX713AADpLjHkGRblHRz7Z3TuQkg8WKUAYL19AAAAW7vk0tIAaMPzra3lCQn1WGLrHxWUS4TrNzv3X2qjbKP0+PwAV7r/w8nb5/Uca8HG1+3Q3vBKhsyct982ecbp8PiowuR5oda80OotcsSrxOWGAADeKDJWis2Hqtpol9Nzn9Zkk9EkcMNGgcozecfh7PeWsdtVS4txMll3Kkx8Iz5qOWp/GyyBFyMxX7PyTlYsTqHAusqwfKry5uaIICCjXl6zeXlTdqKmAAAGVUlEQVR4nO2dW1vjNhBAEbul0KKyoQiXdluo09jEMbGT5kZIltJ7d9v//3eqrFkgdhwriuWZcXQeeTDR+Ub3kbS3Z6kHod8bjtoxf8Jrj4PId6F/F2JavcktE5wLtsTHv3S6UQv692HEH8csLWxZHusE1twS1914nbJPSHPzEPq3YsHtTWUoKcK98TX0D8ZAGNwpO0tqKxv40D8aGjeIN5P2URyf7HbERRtG2rO47u62cbOJoyVtAWc30D8fiEAodJ75OJNdDLiwrR9qCcKLoAtROT7bKtQSmkPoYlTMvLm9NLaoqNAFqZRxOdZkz9DZnQbObesNO1YhvF2Zp7rT8qxJdsSb2y6hM9g5b6Vb2w1vg1JraMJt7Rd/uwasMdGGLpZhAhPW5DikC10wo0RmrMn5Qp0n9qFnyJqcL9S4WxiU3ok+M4UunDEMNWwJzhy6eIYITVqT3UJNq6nJKioR9aymUVmrHnk0a7lqaTbWFnRqOFkw2h8kODUcvF0Yt8ZYXLtwm5sPNhluAXQxS8atQJpkWrNw6227u6cGr1l2yLQSa0yMoAtaKq1qgk0ygy5qSbhhKxpWFGyyltaiUwilMc9xquhFE8QAushbEwYD5pifGyzjEa+l0SiT8l0FDuWJqRvcVh5nCYT7UnfIqmvN0pCdYN2o532bgOZqpR9XNkZbCcmJgjuClSa1EdxT8G9hOoIXEBy5DUEbtUdiaAsb4k4wWKOWRxN2UFgjNk9oeeDN2iOUDha1zKV3bIggNALBY43xHpnGDZE1yd1kGFHIuw9jLO1aghAOG8yxz7Jcw9kdWgjutAPUMdeFnlDlwcUQr7gbrNYkHO153Rm0mvVwpHP7KcKGbQnuIRzJVZLcsSX4zp22oJUowTvIJqoT7FU0QTBUFdWnYU0ietCuXlBZlsL2IMpzMHYYyAQcTY4qoWBjeOqpTynYGJqlOIxT+LWgOOccIp6MrkZgSO69IVZHGY7zunfQEjTg4IlcM9OHqIzgQVdTgnVUIqCrKbl+NAH63Cm5fjQB+PaLa6LaGAfdtq/gpKMZYFO5RjSbNgbculEctSWAdqZUmzaJgLPWIjnYTQA88xFRjja4m0B7VDvSBRxMG9nxxwIHbOhGYVs5F7jtmCHZYdsCsAkW6WhjDEob6baNNaHStyq6osIQYCM3n7Q2sK1myrMEwHOALmltAizjLYYu+jaIMZS2MeWBG9xNBKRHIHBLbpSXQACPhpPuEwBzBGklty3D4VLdKDducCtHygPeiypu89zwPzUBM0EUf+K7+4fPKuHh/p2qNg/OmuL9Fb/0+wcV0e8//KFkDXSHeaYwBLn4tf+6Qvr3SvUUNtle5RGh3w6q1Hbwu1K4NUHTQBSOJZxVKU3SP1MJN8D95QXFNwucJcH2eTFfFaPwlfOziwUF1oDvxitOqEy0fbF/WETj6FURxyeFXzk8/Fly8sN6b9A3MbqF+TOP2r7cL+LN8VERxyeFX5E0Go3vC7QB11GF1m0DbQrRpqJNUqANbo3yiaKJKUZtCB53KjpQilAbiovxCh7lQ6gNNnf3EXf9ngI+bSiCrahXQKgNQ7DtFVRTdNowHFZLWHeBCjpteK6uXPcQJDZtDpKD3wuu86spMm0cbFt5Fb3c9XFc2gSyh9dyveHShu6e9jxvqLTBH13OEKz2hkkbnvtTXrD6oAIibUifqvPZivFbnrZGmu8y2o6O0+Roy35rlTa0rwy37rIBl6Ot8edpmvTq7tHVZZoca5lvXf2Y1Yayhia4o4y3PG1vM4u5mWB721Crktlvvcpqw3K/0Wp66QvZc7UVbh1soC3zrbQ2HiOZv+cxG3B82vgI1yh3Fb2Y49ImPNQV9BPu/MUzV+DaBB/jD7WEsPv01BW0NmeKvFVbwr3xktfoQLUJZ4rjorsNiCZNR1zAaROOM6IUac9EI/4XjDbuOAMSHUEOf59DaPtnSK5yLvMNhLbTn6CLvS1WmxZWmxZWmxZWmxZWmxa52jJLt1ltb9KrtjnarjKfqqu2/cuv02RWd0+v0uQsime+dfktdLG3JU9bZgMguwWjnrub2Uuor7Y0Ze5cWW1Wm9WmjtWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmhdWmxfsPB1abBv+eW20avH99brVp4P73oWba/ge1KiK0SUpzWQAAAABJRU5ErkJggg==\",\n \"size\": \"Small\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.ShowCard\",\n \"title\": \"Add IP address to Network Rules Collection\",\n \"card\": {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"text\": \"Select a Firewall and Rule collection: \n \n(Resource group - Firewall name - Collection name) \"\n },\n \n { \n \"type\": \"Input.ChoiceSet\",\n \"id\": \"FirewallRulesSelectedVal\",\n \"label\": \"Please select Firewall and netRules name\",\n \"style\": \"compact\",\n \"isRequired\": true,\n \"errorMessage\": \"This is a required input\",\n \"placeholder\": \"Please select an Firewall - Network Rules List\",\n \"isMultiSelect\": true,\n \"choices\": @{variables('FirewallsList')}\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n }\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "[[parameters('Teams ChannelId')]"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "[[parameters('Teams GroupId')]"
}
}
}
},
"runAfter": {
"For_each_Firewall": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each IP Address from Entity"
},
"Gets_all_the_Azure_Firewalls_in_a_subscription": {
"runAfter": {
"List_-_existing_firewalls_with_in_the_Resource_Group": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['AzureFirewallConnector']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/providers/Microsoft.Network/azureFirewalls",
"queries": {
"api-version": "2020-07-01"
}
}
},
"Initialize_Rule": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Rule",
"type": "array"
}
]
},
"description": "Variable to store the Rule information"
},
"List_-_existing_firewalls_with_in_the_Resource_Group": {
"runAfter": {
"FinalRuleCollectionList": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "FirewallsList",
"type": "array"
}
]
},
"description": "Variable to store the Firewall - Rule collection choice list to show in the Adaptive Card"
},
"RulecollectionArray": {
"runAfter": {
"Initialize_Rule": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "RulecollectionArray",
"type": "array"
}
]
},
"description": "Variable to store the Rules collection array"
},
"RulecollectionFilteredArray": {
"runAfter": {
"RulecollectionArray": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "RulecollectionFilteredArray",
"type": "array"
}
]
},
"description": "Variable to store the Rules collection array which is selected by SOC"
}
}
},
"parameters": {
"$connections": {
"value": {
"AzureFirewallConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('OAuthConnection'))]",
"connectionName": "[[variables('OAuthConnection')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[[variables('AzureSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
},
"virustotal": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('VirusTotalConnectionName'))]",
"connectionName": "[[variables('VirusTotalConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/virustotal')]"
}
}
}
}
},
"tags": {
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId4')]",
"contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
"version": "[variables('playbookVersion4')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_AzureFirewallConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"title": "BlockIP-Azure Firewall New Rule",
"description": "This playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collection based on the Microsoft Sentinel Incident",
"mainSteps:": [
"When a new Sentinel incident is created:",
"1. An adaptive card is sent to the SOC channel, providing IP address, Virus Total report , showing list of existing firewalls in the Resource group and providing an option to block IP Address to Deny network rules collection or Ignore.",
"2. If SOC user confirms yes, the IP Address gets added to deny network rules collection and incident will get updates with endpoint information, summary of the action taken and virus total scan report.",
"3. Else, incident will get updates with endpoint information and summary of the action taken."
],
"prerequisites": [
"**This playbook template is based on Microsoft Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.",
"1. Azure Firewall connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.",
"2. Azure Firewall connector need to be authenticated with a Service Principal that has permissions over Azure Firewall. Relevant instructions can be found in the connector doc page.",
"3. This playbook will add new rules to existing Network Collections in Azure Firewalls in your subscription. Make sure you have such prior to running the playbook.",
"4.To use VirusTotal connector, get your Virus Totan API key. [ how to generate the API Key](https://developers.virustotal.com/v3.0/reference#getting-started)"
],
"lastUpdateTime": "2022-05-24T00:00:00Z",
"entities": [
"Ip"
],
"postDeployment": [
"**a. Authorize connections**",
"Once deployment is complete, you will need to authorize each connection.",
"1. Click the Microsoft Sentinel connection resource",
"2. Click edit API connection",
"3. Click Authorize",
"4. Sign in",
"5. Click Save",
"6. Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)",
"7. Authorize the Azure Firewall custom connector by following the below mentioned steps.",
"a. Navigate to playbook",
"b. Click Edit",
"c. Find the action with the name 'Lists all Azure Firewalls in a resource group', 'Gets the specified Azure Firewall', 'Creates or updates the specified Azure Firewall', 'Updates tags for Azure Firewall resource' in the workflow.",
"d. Click Change connection [ Enter Connection name, ClientId, SecretKey and TenantId captured from Microsoft Entra ID. ]",
"**b. Configurations in Sentinel**",
"1. In Microsoft Sentinel analytical rules should be configured to trigger an incident with IP Entity.",
"2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": [
{
"version": "1.0.0",
"title": "BlockIP-Azure Firewall New Rule",
"notes": [
"Initial version"
]
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
"displayName": "AzureFirewall-BlockIP-addNewRule",
"contentProductId": "[variables('_playbookcontentProductId4')]",
"id": "[variables('_playbookcontentProductId4')]",
"version": "[variables('playbookVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - First Time Source IP to Destination Using Port_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Azure_Firewall_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "First Time Source IP to Destination Using Port",
"category": "Hunting Queries",
"query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1d;\nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n | where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n | parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" *\n | where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp));\nlet LearningSrcIpToDstIpPort = (TrafficLogs\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| summarize LearningSrcToDsts = make_set(Fqdn,10000) by SourceIp, DestinationPort);\nlet AlertTimeSrcIpToDstIpPort = (TrafficLogs\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| extend AlertTimeDst = Fqdn\n| distinct AlertTimeDst ,SourceIp, DestinationPort);\nAlertTimeSrcIpToDstIpPort\n| join kind=leftouter (LearningSrcIpToDstIpPort) on SourceIp, DestinationPort\n| mv-expand LearningSrcToDsts\n| where AlertTimeDst != LearningSrcToDsts\n| summarize LearningSrcToDsts = make_set(LearningSrcToDsts,10000) by SourceIp, AlertTimeDst, DestinationPort\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies the first time a source IP communicates with a destination using a specific port based on learning period activity. \nConfigurable Parameters: - Learning period time - learning period for threshold calculation in days. Default is set to 7."
},
{
"name": "tactics",
"value": "Exfiltration,CommandAndControl"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Azure Firewall Hunting Query 1",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "First Time Source IP to Destination Using Port",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - First time source IP to Destination_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Azure_Firewall_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "First Time Source IP to Destination",
"category": "Hunting Queries",
"query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1d;\nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n | where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n | parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" *\n | where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp));\nlet LearningSrcIpToDstIpPort = (TrafficLogs\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| summarize LearningSrcToDsts = make_set(Fqdn,10000) by SourceIp, DestinationPort);\nlet AlertTimeSrcIpToDstIpPort = (TrafficLogs\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| extend AlertTimeDst = Fqdn\n| distinct AlertTimeDst ,SourceIp, DestinationPort);\nAlertTimeSrcIpToDstIpPort\n| join kind=leftouter (LearningSrcIpToDstIpPort) on SourceIp, DestinationPort\n| mv-expand LearningSrcToDsts\n| where AlertTimeDst != LearningSrcToDsts\n| summarize LearningSrcToDsts = make_set(LearningSrcToDsts,10000) by SourceIp, AlertTimeDst\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies the first time a source IP communicates with a destination based on a configurable learning period.\nConfigurable Parameters: - Learning period time - learning period for threshold calculation in days. Default is set to 7."
},
{
"name": "tactics",
"value": "Exfiltration,CommandAndControl"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Azure Firewall Hunting Query 2",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "First Time Source IP to Destination",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Source IP Abnormally Connects to Multiple Destinations_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Azure_Firewall_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Source IP Abnormally Connects to Multiple Destinations",
"category": "Hunting Queries",
"query": "let LearningPeriod = 5d;\nlet RunTime = 1h;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1d;\nlet BinTime = 1h;\nlet NumOfStdsThreshold = 3;\nlet MinThreshold = 10;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" *\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where isnotempty(Fqdn) and isnotempty(SourceIp)));\nlet LearningSrcIp = (TrafficLogs\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| summarize dcount(Fqdn) by SourceIp, bin(TimeGenerated, BinTime)\n| summarize LearningTimeSrcAvg = avg(dcount_Fqdn), LearningTimeSrcStd = stdev(dcount_Fqdn), LearningTimeBuckets = count() by SourceIp\n| where LearningTimeBuckets > MinLearningBuckets);\nlet AlertTimeSrcIp = (TrafficLogs\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| summarize AlertTimeSrcIpdCount = dcount(Fqdn) by SourceIp, Fqdn);\nAlertTimeSrcIp\n| join kind=leftouter (LearningSrcIp) on SourceIp\n| extend LearningThreshold = max_of(LearningTimeSrcAvg + NumOfStdsThreshold * LearningTimeSrcStd, MinThreshold)\n| where AlertTimeSrcIpdCount > LearningThreshold\n| project-away SourceIp1, LearningTimeSrcAvg, LearningTimeSrcStd\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies source IP that abnormally connects to multiple destinations according to learning period activity. This can indicate initial access attempts by attackers, trying to jump between different machines in the organization."
},
{
"name": "tactics",
"value": "Execution,LateralMovement"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Azure Firewall Hunting Query 3",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
"contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"contentKind": "HuntingQuery",
"displayName": "Source IP Abnormally Connects to Multiple Destinations",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Uncommon Port for Organization_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Azure_Firewall_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Uncommon Port for Organization",
"category": "Hunting Queries",
"query": "let LearningPeriod = 7d; \nlet RunTime = 1h; \nlet StartLearningPeriod = LearningPeriod + RunTime; \nlet EndRunTime = RunTime - 1d; \nlet AllowedCommonPorts = dynamic([80, 443]); \nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\" \n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where isnotempty(SourceIp)),\n(AZFWApplicationRule\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where isnotempty(Fqdn) and isnotempty(SourceIp)));\nlet LearningSrcIp = (TrafficLogs \n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime)) \n| distinct DestinationPort);\nlet AlertTimeSrcIpToPort = (TrafficLogs \n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime)) \n| distinct SourceIp, DestinationPort, Fqdn);\nAlertTimeSrcIpToPort \n| join kind=leftantisemi (LearningSrcIp) on DestinationPort \n| where DestinationPort !in (AllowedCommonPorts)\n| extend IPCustomEntity = SourceIp, URLCustomEntity = Fqdn\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies abnormal ports used in the organization based on learning period activity. This can indicate exfiltration attack or C2 control from machines in the organization by using new a port that has never been used."
},
{
"name": "tactics",
"value": "DefenseEvasion,Exfiltration,CommandAndControl"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Azure Firewall Hunting Query 4",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
"contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"contentKind": "HuntingQuery",
"displayName": "Uncommon Port for Organization",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Uncommon Port to IP_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "Azure_Firewall_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Uncommon Port to IP",
"category": "Hunting Queries",
"query": "let LearningPeriod = 7d; \nlet RunTime = 1d; \nlet StartLearningPeriod = LearningPeriod + RunTime; \nlet EndRunTime = RunTime - 1d; \nlet AllowedCommonPorts = dynamic([80, 443]); \nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\" \n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where isnotempty(SourceIp)),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule\n| where isnotempty(Fqdn) and isnotempty(SourceIp))); \nlet LearningSrcIp = (TrafficLogs \n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime)) \n| distinct SourceIp ,DestinationPort); \nlet AlertTimeSrcIpToPort = (TrafficLogs \n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime)) \n| distinct SourceIp ,DestinationPort, Fqdn); \nAlertTimeSrcIpToPort \n| join kind=leftantisemi (LearningSrcIp) on SourceIp ,DestinationPort\n| where DestinationPort !in (AllowedCommonPorts)\n| extend IPCustomEntity = SourceIp, URLCustomEntity = Fqdn\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies abnormal ports used by machines to connect to a destination IP based on learning period activity. This can indicate exfiltration attack or C2 control from machines in the organization by using new a port that has never been used."
},
{
"name": "tactics",
"value": "Exfiltration,CommandAndControl"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "Azure Firewall Hunting Query 5",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
"contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"contentKind": "HuntingQuery",
"displayName": "Uncommon Port to IP",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SeveralDenyActionsRegistered_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.",
"displayName": "Several deny actions registered",
"enabled": false,
"query": "let threshold = 1;\nunion isfuzzy=true(\nAZFWApplicationRule\n| where Action == \"Deny\"\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWNetworkRule\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWFlowTrace\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWIdpsSignature\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AzureDiagnostics\n| where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n| extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n| extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n| extend msg_a = split(msg_s_replaced1,\" \")\n| extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\n| where Action == \"Deny\"\n| extend Fqdn = iff(DestinationIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",DestinationIp)\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule",
"AZFWFlowTrace",
"AZFWIdpsSignature"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"Discovery",
"LateralMovement",
"CommandAndControl"
],
"techniques": [
"T1046",
"T1071",
"T1210"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 1",
"parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Several deny actions registered",
"contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Port Sweep_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organization. The ports can be compromised by attackers for initial access, most often by exploiting vulnerability.\n\nConfigurable Parameters:\n\n- Port sweep time - the time range to look for multiple hosts scanned. Default is set to 30 seconds.\n- Minimum different hosts threshold - alert only if more than this number of hosts scanned. Default is set to 200.",
"displayName": "Port Sweep",
"enabled": false,
"query": "let MinimumDifferentHostsThreshold = 200;\nlet ExcludedPorts = dynamic([80 , 443]);\nlet BinTime = 30s;\nunion isfuzzy=true(\nAZFWApplicationRule\n| where DestinationPort !in (ExcludedPorts)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where DestinationPort !in (ExcludedPorts)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime),\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where DestinationPort !in (ExcludedPorts)\n| where isnotempty(Fqdn) and isnotempty(SourceIp) and isnotempty(DestinationPort)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime)\n| project bin(TimeGenerated, BinTime), SourceIp, DestinationPort, AlertTimedCountHostsInBinTime, Fqdn\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"Discovery"
],
"techniques": [
"T1046"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 2",
"parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "Port Sweep",
"contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Port Scan_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n\nConfigurable Parameters:\n\n- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n- Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.",
"displayName": "Port Scan",
"enabled": false,
"query": "let MinimumDifferentPortsThreshold = 100;\nlet BinTime = 30s;\nunion isfuzzy=true(\nAZFWApplicationRule\n| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn\n| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn\n| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int *\n| where isnotempty(Fqdn) and isnotempty(SourceIp)\n| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn\n| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"Discovery"
],
"techniques": [
"T1046"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 3",
"parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Port Scan",
"contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Multiple Sources Affected by the Same TI Destination_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.",
"displayName": "Multiple Sources Affected by the Same TI Destination",
"enabled": false,
"query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWThreatIntel"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"Exfiltration",
"CommandAndControl"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 4",
"parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "Multiple Sources Affected by the Same TI Destination",
"contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Abnormal Port to Protocol_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies communication for well known protocol over a non-standard port based on learning period activity. This can indicate malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (22:SSH, 80:HTTP) but dont use the known protocol headers to match the port number.\n\nConfigurable Parameters:\n\n- Learning period time - learning period for protocol learning in days. Default is set to 7.",
"displayName": "Abnormal Port to Protocol",
"enabled": false,
"query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1d;\nlet LearningPortToProtocol1 = (AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\"\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| extend msg_s= column_ifexists('msg_s',Message)\n| parse msg_s with Protocol \" request from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" *\n| where isnotempty(DestinationPort)\n| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = Protocol, SourceIp, Fqdn);\nlet LearningPortToProtocol2 = (AZFWNetworkRule\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| where isnotempty(DestinationPort)\n| extend Fqdn = DestinationIp\n| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = Protocol, SourceIp, Fqdn);\nlet LearningPortToProtocol3 = (AZFWApplicationRule\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| where isnotempty(DestinationPort)\n| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = Protocol, SourceIp, Fqdn);\nlet AlertTimePortToProtocol1 = (AzureDiagnostics\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallApplicationRuleLog\"\n| extend msg_s= column_ifexists('msg_s',Message)\n| parse msg_s with Protocol \" request from \" SourceIp \":\" SourcePort \" to \" Fqdn \":\" DestinationPort:int \".\" *\n| where isnotempty(DestinationPort)\n| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = Protocol);\nlet AlertTimePortToProtocol2 = (AZFWNetworkRule\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| where isnotempty(DestinationPort)\n| extend Fqdn = DestinationIp\n| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = Protocol);\nlet AlertTimePortToProtocol3 = (AZFWApplicationRule\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| where isnotempty(DestinationPort)\n| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = Protocol);\n(union isfuzzy=true \n(AlertTimePortToProtocol1 \n| join kind=leftouter (LearningPortToProtocol1) on $left.AlertTimeDstPort == $right.LearningTimeDstPort\n| where LearningTimeProtocol != AlertTimeProtocol),\n(AlertTimePortToProtocol2 \n| join kind=leftouter (LearningPortToProtocol2) on $left.AlertTimeDstPort == $right.LearningTimeDstPort\n| where LearningTimeProtocol != AlertTimeProtocol),\n(AlertTimePortToProtocol3 \n| join kind=leftouter (LearningPortToProtocol3) on $left.AlertTimeDstPort == $right.LearningTimeDstPort\n| where LearningTimeProtocol != AlertTimeProtocol))\n",
"queryFrequency": "PT1H",
"queryPeriod": "P8D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"DefenseEvasion",
"Exfiltration",
"CommandAndControl"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 5",
"parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
"contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"contentKind": "AnalyticsRule",
"displayName": "Abnormal Port to Protocol",
"contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
"id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
"version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Azure Firewall - Abnormal Deny Rate for Source IP_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.\n\nConfigurable Parameters:\n\n- Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.\n- Learning period time - learning period for threshold calculation in days. Default is set to 5.\n- Bin time - learning buckets time in hours. Default is set to 1 hour.\n- Minimum threshold - minimum threshold for alert. Default is set to 5.\n- Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.",
"displayName": "Abnormal Deny Rate for Source IP",
"enabled": false,
"query": "let LearningPeriod = 1d;\nlet RunTime = 1h;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1h;\nlet BinTime = 1h;\nlet NumOfStdsThreshold = 3;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\" \n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWFlowTrace\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWIdpsSignature\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)));\nlet LearningSrcIpDenyRate = (TrafficLogs\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn\n| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn\n| where LearningTimeBuckets > MinLearningBuckets);\nlet AlertTimeSrcIpDenyRate = (TrafficLogs\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp);\nAlertTimeSrcIpDenyRate\n| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp\n| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n| where AlertTimeSrcIpDenyRateCount > LearningThreshold\n| project-away SourceIp1, LearningTimeSrcIpDenyRateAvg, LearningTimeSrcIpDenyRateStd\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT25H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule",
"AZFWFlowTrace",
"AZFWIdpsSignature"
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
"InitialAccess",
"Exfiltration",
"CommandAndControl"
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "Azure Firewall Analytics Rule 6",
"parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
"contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"contentKind": "AnalyticsRule",
"displayName": "Abnormal Deny Rate for Source IP",
"contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
"id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
"version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Azure Firewall",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://docs.microsoft.com/azure/firewall/overview\">Azure Firewall</a> solution for Microsoft Sentinel enables ingestion of DNS Proxy, Application Rule and Network Rule <a href=\"https://docs.microsoft.com/azure/firewall/logs-and-metrics\">logs</a> from Azure Firewalls.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal\">Azure Monitor Resource Diagnostics</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 6, <strong>Hunting Queries:</strong> 5, <strong>Custom Azure Logic Apps Connectors:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzFirewalls.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Azure Firewall",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId2')]",
"version": "[variables('workbookVersion2')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_AzureFirewallConnector')]",
"version": "[variables('playbookVersion1')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_AzureFirewall-BlockIP-addToIPGroup')]",
"version": "[variables('playbookVersion2')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_AzureFirewall-AddIPtoTIAllowList')]",
"version": "[variables('playbookVersion3')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_AzureFirewall-BlockIP-addNewRule')]",
"version": "[variables('playbookVersion4')]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
]
},
"firstPublishDate": "2022-05-23",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Threat Protection",
"Security - Automation (SOAR)"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку