1619 строки
68 KiB
JSON
1619 строки
68 KiB
JSON
{
|
||
"name": "AzureFirewall-{Workspace_Name}",
|
||
"type": "Microsoft.Portal/dashboards",
|
||
"location": "{Dashboard_Location}",
|
||
"tags": {
|
||
"dashboardKey": "AzureFirewall",
|
||
"hidden-title": "Azure Firewall - {Workspace_Name}",
|
||
"version": "1.1",
|
||
"workspaceName": "{Workspace_Name}"
|
||
},
|
||
"properties": {
|
||
"lenses": {
|
||
"0": {
|
||
"order": 0,
|
||
"parts": {
|
||
"0": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 0,
|
||
"colSpan": 1,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "subscriptionId",
|
||
"value": "{Subscription_Id}"
|
||
},
|
||
{
|
||
"name": "resourceGroup",
|
||
"value": "{Resource_Group}"
|
||
},
|
||
{
|
||
"name": "workspaceName",
|
||
"value": "{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "dashboardName",
|
||
"value": "AzureFirewall"
|
||
},
|
||
{
|
||
"name": "menuItemToOpen",
|
||
"value": "Dashboards"
|
||
}
|
||
],
|
||
"type": "Extension/Microsoft_Azure_Security_Insights/PartType/AsiOverviewPart",
|
||
"defaultMenuItemId": "0"
|
||
}
|
||
},
|
||
"1": {
|
||
"position": {
|
||
"x": 1,
|
||
"y": 0,
|
||
"colSpan": 15,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Azure Firewall - overview</div>\n\n",
|
||
"title": "",
|
||
"subtitle": ""
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"2": {
|
||
"position": {
|
||
"x": 16,
|
||
"y": 0,
|
||
"colSpan": 2,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<img width='50' height='50' src='https://106c4.wpc.azureedge.net/80106C4/Gallery-Prod/cdn/2015-02-24/prod20161101-microsoft-windowsazure-gallery/microsoft.AzureFirewall-Arm.1.0.4/Icons/Large.png'/> ",
|
||
"title": "",
|
||
"subtitle": ""
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"3": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 1,
|
||
"colSpan": 9,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "Volume",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "7a279309-4d2d-4c29-821e-88bb0e4c660e"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Events, by time",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"4": {
|
||
"position": {
|
||
"x": 9,
|
||
"y": 1,
|
||
"colSpan": 9,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize count() by Category, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "Category",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "e43210b9-219e-4454-a92e-d89ac851c6d3"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Event categories, by time",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"5": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 5,
|
||
"colSpan": 9,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| summarize amount = count() by Resource, ResourceGroup\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "ecd5abf3-394c-44e4-8034-8ff96464d8d5"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Firewall per resource group",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"6": {
|
||
"position": {
|
||
"x": 9,
|
||
"y": 5,
|
||
"colSpan": 9,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\" | summarize count() by Category\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "Category",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "ae80cad7-a26d-4e0a-9603-203e5365d97f"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Events, by category",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"7": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 9,
|
||
"colSpan": 18,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Azure Firewall - Application rule log statitics</div>\r\n",
|
||
"title": "",
|
||
"subtitle": ""
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"8": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "SourceIP",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "Amount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "a7f860b9-cb1c-48a4-9f3a-d67ec9834370"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Unique source IP addresses",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"9": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "URL",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "dc3e7d37-725c-4ad1-9c0c-7d386d962b7b"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Allowed URL addresses",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"10": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 10,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "URL",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "702f6197-4bd9-404f-b2ec-7d5cfa07636d"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Denied URL addresses",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"11": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 14,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Deny\" | summarize Amount=dcount(SourceIP) by SourceIP, Protocol, URL = FQDN, TargetPortInt, Action\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "6a54bcd1-42b4-45fa-b1a9-3465cb7b0589"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Unique source IP addresses",
|
||
"PartSubTitle": "",
|
||
"GridColumnsWidth": {
|
||
"Protocol": "90px",
|
||
"SourceIP": "98px",
|
||
"TargetPortInt": "102px"
|
||
}
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"12": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 14,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort) | where Action == \"Allow\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "URL",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "9ec8a61b-0e04-40be-9b41-139ff2aff5f5"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Allowed URL addresses, by time",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"13": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 14,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics | where Category == \"AzureFirewallApplicationRule\" | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails | parse TempDetails with \"was \" Action1 \". Reason: \" Rule1 | parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" * | parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a | parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b | extend SourcePort = tostring(SourcePortInt) | extend TargetPort = tostring(TargetPortInt) | extend Action1 = case(Action1 == \"denied\",\"Deny\",\"Unknown Action\") | extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), RuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)| where Action == \"Deny\" \r\n| summarize count() by URL=FQDN, bin(TimeGenerated,15min)\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "URL",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "c75ebea2-305d-4e9a-b4c1-06216e50e4d7"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Denied URL addresses, by time",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"14": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 18,
|
||
"colSpan": 18,
|
||
"rowSpan": 1
|
||
},
|
||
"metadata": {
|
||
"inputs": [],
|
||
"type": "Extension/HubsExtension/PartType/MarkdownPart",
|
||
"settings": {
|
||
"content": {
|
||
"settings": {
|
||
"content": "<div style='font-size:300%;'>Azure Firewall - Network rule log statistics</div>\n",
|
||
"title": "",
|
||
"subtitle": ""
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"15": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 19,
|
||
"colSpan": 18,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| parse msg_s with Protocol \" request from\" SourceIP \":\" SourcePortInt:int \" to\" TargetIP \":\" TargetPortInt:int *\r\n| parse msg_s with * \". Action: \" Action1a\r\n| parse msg_s with * \" was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from\" SourceIP2 \" to\" TargetIP2 \". Action:\" Action2\r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)\r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination)\r\n| summarize count() by Action, TimeGenerated\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "count_",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "Action",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "a61bc484-e9cd-4f0a-b1bc-4020bd406116"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Actions, by time",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"16": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 23,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "Action",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "amount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "29ea3ed2-1d64-492d-82d9-8b36189187c8"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Rule actions",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"17": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 23,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), NatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize Count=count() by TargetPort\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TargetPort",
|
||
"type": "String"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "Count",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "27824317-7840-48a5-8dc0-3e0d4690f7fc"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsDonut"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Target ports",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"18": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 23,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "f2c4c8ee-2219-4fa4-a88f-32106cafecdc"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "DNAT actions",
|
||
"PartSubTitle": "",
|
||
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination\n"
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"19": {
|
||
"position": {
|
||
"x": 0,
|
||
"y": 27,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n| summarize amount = count() by Action , SourceIP\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "6ca03d53-d42c-4267-87e9-3930b7e92b95"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Rule actions, by IP addresses",
|
||
"PartSubTitle": ""
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"20": {
|
||
"position": {
|
||
"x": 6,
|
||
"y": 27,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination \r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),Protocol = case(Protocol == \"\", \r\nProtocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort), \r\nNatDestination = case(NatDestination == \"\", \r\n\"N/A\", NatDestination) \r\n| summarize AMOUNT=count() by TargetPort, SourceIP\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "a9fbfe30-b16d-44fc-bc24-98bad8a940a1"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsGrid"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"isOptional": true
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"isOptional": true
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "Analytics",
|
||
"PartSubTitle": "Target ports"
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
},
|
||
"21": {
|
||
"position": {
|
||
"x": 12,
|
||
"y": 27,
|
||
"colSpan": 6,
|
||
"rowSpan": 4
|
||
},
|
||
"metadata": {
|
||
"inputs": [
|
||
{
|
||
"name": "ComponentId",
|
||
"value": {
|
||
"SubscriptionId": "{Subscription_Id}",
|
||
"ResourceGroup": "{Resource_Group}",
|
||
"Name": "{Workspace_Name}",
|
||
"ResourceId": "/subscriptions/{Subscription_Id}/resourceGroups/{Resource_Group}/providers/Microsoft.OperationalInsights/workspaces/{Workspace_Name}"
|
||
}
|
||
},
|
||
{
|
||
"name": "Query",
|
||
"value": "AzureDiagnostics \r\n| where Category == \"AzureFirewallNetworkRule\" \r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \r\n| parse msg_s with * \". Action: \" Action1a \r\n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\r\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \r\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \r\n| extend Action = case(Action1a == \"\", \r\ncase(Action1b == \"\",Action2,Action1b), Action1a),\r\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\r\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\r\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\r\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\r\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\r\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \r\n//| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination, TimeGenerated\r\n"
|
||
},
|
||
{
|
||
"name": "TimeRange",
|
||
"value": "P1D"
|
||
},
|
||
{
|
||
"name": "Dimensions",
|
||
"value": {
|
||
"xAxis": {
|
||
"name": "TimeGenerated",
|
||
"type": "DateTime"
|
||
},
|
||
"yAxis": [
|
||
{
|
||
"name": "Amount",
|
||
"type": "Int64"
|
||
}
|
||
],
|
||
"splitBy": [
|
||
{
|
||
"name": "NatDestination",
|
||
"type": "String"
|
||
}
|
||
],
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"name": "Version",
|
||
"value": "1.0"
|
||
},
|
||
{
|
||
"name": "DashboardId",
|
||
"value": "/subscriptions/{Subscription_Id}/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/AzureFirewallDashboard_{Workspace_Name}"
|
||
},
|
||
{
|
||
"name": "PartId",
|
||
"value": "1aa875a4-df6b-41e5-9723-b7b78e0568ae"
|
||
},
|
||
{
|
||
"name": "PartTitle",
|
||
"value": "Analytics"
|
||
},
|
||
{
|
||
"name": "PartSubTitle",
|
||
"value": ""
|
||
},
|
||
{
|
||
"name": "resourceTypeMode",
|
||
"value": "workspace"
|
||
},
|
||
{
|
||
"name": "ControlType",
|
||
"value": "AnalyticsChart"
|
||
},
|
||
{
|
||
"name": "SpecificChart",
|
||
"value": "Line"
|
||
}
|
||
],
|
||
"type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
|
||
"settings": {
|
||
"content": {
|
||
"PartTitle": "DNAT'ed over time",
|
||
"PartSubTitle": "",
|
||
"Query": "AzureDiagnostics \n| where Category == \"AzureFirewallNetworkRule\" \n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int * \n| parse msg_s with * \". Action: \" Action1a \n| parse msg_s with * \"was \" Action1b \" to \" NatDestination\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action:\" Action2 \n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) \n| extend Action = case(Action1a == \"\", \ncase(Action1b == \"\",Action2,Action1b), Action1a),\nProtocol = case(Protocol == \"\", Protocol2, Protocol),\nSourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\nTargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\nSourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\nTargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\nNatDestination = case(NatDestination == \"\", \"N/A\", NatDestination) \n| where Action == \"DNAT'ed\"\n| summarize Amount=count() by NatDestination, TimeGenerated\n"
|
||
}
|
||
},
|
||
"asset": {
|
||
"idInputName": "ComponentId",
|
||
"type": "ApplicationInsights"
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|