Azure-Sentinel/Dashboards/Azure_Firewall.json

1619 строки
68 KiB
JSON
Исходник Ответственный История

Этот файл содержит невидимые символы Юникода!

Этот файл содержит невидимые символы Юникода, которые могут быть отображены не так, как показано ниже. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы показать скрытые символы.

{
"name": "AzureFirewall-{Workspace_Name}",
"type": "Microsoft.Portal/dashboards",
"location": "{Dashboard_Location}",
"tags": {
"dashboardKey": "AzureFirewall",
"hidden-title": "Azure Firewall - {Workspace_Name}",
"version": "1.1",
"workspaceName": "{Workspace_Name}"
},
"properties": {
"lenses": {
"0": {
"order": 0,
"parts": {
"0": {
"position": {
"x": 0,
"y": 0,
"colSpan": 1,
"rowSpan": 1
},
"metadata": {
"inputs": [
{
"name": "subscriptionId",
"value": "{Subscription_Id}"
},
{
"name": "resourceGroup",
"value": "{Resource_Group}"
},
{
"name": "workspaceName",
"value": "{Workspace_Name}"
},
{
"name": "dashboardName",
"value": "AzureFirewall"
},
{
"name": "menuItemToOpen",
"value": "Dashboards"
}
],
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
"defaultMenuItemId": "0"
}
},
"1": {
"position": {
"x": 1,
"y": 0,
"colSpan": 15,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - overview</div>\n\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"2": {
"position": {
"x": 16,
"y": 0,
"colSpan": 2,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<img width='50' height='50' src='https://106c4.wpc.azureedge.net/80106C4/Gallery-Prod/cdn/2015-02-24/prod20161101-microsoft-windowsazure-gallery/microsoft.AzureFirewall-Arm.1.0.4/Icons/Large.png'/> ",
"title": "",
"subtitle": ""
}
}
}
}
},
"3": {
"position": {
"x": 0,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Volume",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "7a279309-4d2d-4c29-821e-88bb0e4c660e"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Events, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"4": {
"position": {
"x": 9,
"y": 1,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize count() by Category, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Category",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "e43210b9-219e-4454-a92e-d89ac851c6d3"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Event categories, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"5": {
"position": {
"x": 0,
"y": 5,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| summarize amount = count() by Resource, ResourceGroup\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ecd5abf3-394c-44e4-8034-8ff96464d8d5"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Firewall per resource group",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"6": {
"position": {
"x": 9,
"y": 5,
"colSpan": 9,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\" | summarize count() by Category\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Category",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "ae80cad7-a26d-4e0a-9603-203e5365d97f"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Events, by category",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"7": {
"position": {
"x": 0,
"y": 9,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - Application rule log statitics</div>\r\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"8": {
"position": {
"x": 0,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "SourceIP",
"type": "String"
},
"yAxis": [
{
"name": "Amount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a7f860b9-cb1c-48a4-9f3a-d67ec9834370"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Unique source IP addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"9": {
"position": {
"x": 6,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "URL",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "dc3e7d37-725c-4ad1-9c0c-7d386d962b7b"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Allowed URL addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"10": {
"position": {
"x": 12,
"y": 10,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "URL",
"type": "String"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "702f6197-4bd9-404f-b2ec-7d5cfa07636d"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Denied URL addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"11": {
"position": {
"x": 0,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP, Protocol, URL = FQDN, TargetPortInt, Action\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6a54bcd1-42b4-45fa-b1a9-3465cb7b0589"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Unique source IP addresses",
"PartSubTitle": "",
"GridColumnsWidth": {
"Protocol": "90px",
"SourceIP": "98px",
"TargetPortInt": "102px"
}
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"12": {
"position": {
"x": 6,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "URL",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "9ec8a61b-0e04-40be-9b41-139ff2aff5f5"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Allowed URL addresses, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"13": {
"position": {
"x": 12,
"y": 14,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "URL",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "c75ebea2-305d-4e9a-b4c1-06216e50e4d7"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Denied URL addresses, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"14": {
"position": {
"x": 0,
"y": 18,
"colSpan": 18,
"rowSpan": 1
},
"metadata": {
"inputs": [],
"type": "Extension/HubsExtension/PartType/MarkdownPart",
"settings": {
"content": {
"settings": {
"content": "<div style='font-size:300%;'>Azure Firewall - Network rule log statistics</div>\n",
"title": "",
"subtitle": ""
}
}
}
}
},
"15": {
"position": {
"x": 0,
"y": 19,
"colSpan": 18,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| parse msg_s with Protocol \" request from\" SourceIP \":\" SourcePortInt:int \" to\" TargetIP \":\" TargetPortInt:int *\r\n| parse msg_s with * \". Action: \" Action1a\r\n| parse msg_s with * \" was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from\" SourceIP2 \" to\" TargetIP2 \". Action:\" Action2\r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)\r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)\r\n| summarize count() by Action, TimeGenerated\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "count_",
"type": "Int64"
}
],
"splitBy": [
{
"name": "Action",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a61bc484-e9cd-4f0a-b1bc-4020bd406116"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Actions, by time",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"16": {
"position": {
"x": 0,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "Action",
"type": "String"
},
"yAxis": [
{
"name": "amount",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "29ea3ed2-1d64-492d-82d9-8b36189187c8"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Rule actions",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"17": {
"position": {
"x": 6,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize Count=count() by TargetPort\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TargetPort",
"type": "String"
},
"yAxis": [
{
"name": "Count",
"type": "Int64"
}
],
"splitBy": [],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "27824317-7840-48a5-8dc0-3e0d4690f7fc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsDonut"
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Target ports",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"18": {
"position": {
"x": 12,
"y": 23,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "f2c4c8ee-2219-4fa4-a88f-32106cafecdc"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "DNAT actions",
"PartSubTitle": "",
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"19": {
"position": {
"x": 0,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action , SourceIP\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "6ca03d53-d42c-4267-87e9-3930b7e92b95"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Rule actions, by IP addresses",
"PartSubTitle": ""
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"20": {
"position": {
"x": 6,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", \r\nProtocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), \r\nNatDestination = case(NatDestination == \"\", \r\n\"N/A\", NatDestination) \r\n| summarize AMOUNT=count() by TargetPort, SourceIP\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "a9fbfe30-b16d-44fc-bc24-98bad8a940a1"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsGrid"
},
{
"name": "Dimensions",
"isOptional": true
},
{
"name": "SpecificChart",
"isOptional": true
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "Analytics",
"PartSubTitle": "Target ports"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
},
"21": {
"position": {
"x": 12,
"y": 27,
"colSpan": 6,
"rowSpan": 4
},
"metadata": {
"inputs": [
{
"name": "ComponentId",
"value": {
"SubscriptionId": "{Subscription_Id}",
"ResourceGroup": "{Resource_Group}",
"Name": "{Workspace_Name}",
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
}
},
{
"name": "Query",
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination, TimeGenerated\r\n"
},
{
"name": "TimeRange",
"value": "P1D"
},
{
"name": "Dimensions",
"value": {
"xAxis": {
"name": "TimeGenerated",
"type": "DateTime"
},
"yAxis": [
{
"name": "Amount",
"type": "Int64"
}
],
"splitBy": [
{
"name": "NatDestination",
"type": "String"
}
],
"aggregation": "Sum"
}
},
{
"name": "Version",
"value": "1.0"
},
{
"name": "DashboardId",
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
},
{
"name": "PartId",
"value": "1aa875a4-df6b-41e5-9723-b7b78e0568ae"
},
{
"name": "PartTitle",
"value": "Analytics"
},
{
"name": "PartSubTitle",
"value": ""
},
{
"name": "resourceTypeMode",
"value": "workspace"
},
{
"name": "ControlType",
"value": "AnalyticsChart"
},
{
"name": "SpecificChart",
"value": "Line"
}
],
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
"settings": {
"content": {
"PartTitle": "DNAT'ed over time",
"PartSubTitle": "",
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination, TimeGenerated\n"
}
},
"asset": {
"idInputName": "ComponentId",
"type": "ApplicationInsights"
}
}
}
}
}
}
}
}