![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
"Description": "The Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.\n\nInstalling this solution will deploy two data connectors,\n\r\n1. Windows Firewall Events via AMA - This data connector helps in ingesting Windows Firewall Events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Windows Firewall - This solution installs the data connector to ingest Windows Firewall events using the Windows Firewall solution for Azure. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.\n\r\n**NOTE**: Microsoft recommends Installation of Windows Firewall via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs?WT.mc_id=Portal-fx)", "Data Connectors": [ - "Data Connectors/Windows Firewall.json" + "Data Connectors/Windows Firewall.json", + "Data Connectors/template_WindowsFirewallAma.json" ], "Workbooks": [ "Workbooks/WindowsFirewall.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Firewall", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": true diff --git a/Solutions/Windows Firewall/Package/3.0.1.zip b/Solutions/Windows Firewall/Package/3.0.1.zip new file mode 100644 index 00000000000..01ea1d9cfcd Binary files /dev/null and b/Solutions/Windows Firewall/Package/3.0.1.zip differ diff --git a/Solutions/Windows Firewall/Package/createUiDefinition.json b/Solutions/Windows Firewall/Package/createUiDefinition.json index 9553e4680d6..20073f2507e 100644 --- a/Solutions/Windows Firewall/Package/createUiDefinition.json +++ b/Solutions/Windows Firewall/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Firewall/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs?WT.mc_id=Portal-fx)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Firewall/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.\n\nInstalling this solution will deploy two data connectors,\n\r\n1. Windows Firewall Events via AMA - This data connector helps in ingesting Windows Firewall Events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Windows Firewall - This solution installs the data connector to ingest Windows Firewall events using the Windows Firewall solution for Azure. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.\n\r\n**NOTE**: Microsoft recommends Installation of Windows Firewall via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs?WT.mc_id=Portal-fx)\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -63,6 +63,13 @@ "text": "This solution installs the data connector to ingest Windows Firewall events using the Windows Firewall solution for Azure. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Windows Firewall. You can get Windows Firewall custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", @@ -100,20 +107,6 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "Windows Firewall", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs" - } - } - ] } ] } diff --git a/Solutions/Windows Firewall/Package/mainTemplate.json b/Solutions/Windows Firewall/Package/mainTemplate.json index 046d9e9f423..67a1c5af420 100644 --- a/Solutions/Windows Firewall/Package/mainTemplate.json +++ b/Solutions/Windows Firewall/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Windows Firewall", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-windowsfirewall", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "WindowsFirewall", @@ -50,13 +50,22 @@ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "WindowsFirewallAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "WindowsFirewallAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "WindowsFirewall", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", @@ -72,7 +81,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Windows Firewall data connector with template version 3.0.0", + "description": "Windows Firewall data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -222,6 +231,161 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Windows Firewall data connector with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "StaticUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "Windows Firewall Events via AMA (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. Customers wishing to stream their Windows Firewall application logs collected from their machines can now use the AMA to stream those logs to the Microsoft Sentinel workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ASimNetworkSessionLogs", + "baseQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"" + } + ], + "connectivityCriterias": [ + { + "type": "ASimNetworkSessionLogs", + "value": null + } + ], + "dataTypes": [ + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Windows Firewall", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "Windows Firewall Events via AMA (Preview)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Windows Firewall", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "StaticUI", + "properties": { + "connectorUiConfig": { + "title": "Windows Firewall Events via AMA (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. Customers wishing to stream their Windows Firewall application logs collected from their machines can now use the AMA to stream those logs to the Microsoft Sentinel workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ASimNetworkSessionLogs", + "baseQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"" + } + ], + "dataTypes": [ + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "ASimNetworkSessionLogs", + "value": null + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -231,7 +395,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsFirewallWorkbook Workbook with template version 3.0.0", + "description": "WindowsFirewallWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -249,7 +413,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Firewall\\n---\\nThis workbook requires the following data connectors:\\n\\n| Log | Requirements | Steps |\\n|:------------- |:-------------|:-----|\\n| Windows Firewall | Sentinel connector, Agent, Firewall log| Install Windows Firewall connector and monitor agent, Enable firewall logging on host|\\n| Windows Security Events (minimal)| Sentinel connector, Agent| Enable Security Event connector (minimal) and monitor agent |\\n| Azure Signin | Sentinel connector, Diagnostics setting| Create Diagnostics setting for signinlogs|\\n\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"24bfb86e-cf14-4585-a8fc-21f1f7f2227a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"7a206eb7-2655-42d5-a7d7-2e42bd04709b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Computers\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Heartbeat\\r\\n| where Solutions contains \\\"windowsFirewall\\\"\\r\\n| distinct Computer\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| where Solutions contains \\\"windowsFirewall\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Computer\\r\\n| project Computer, ['Last update'] = TimeGenerated, OSInfo = strcat(OSType, \\\" \\\", OSName, \\\" \\\", OSMajorVersion)\\r\\n| top 10 by ['Last update'] desc \\r\\n\",\"size\":4,\"title\":\"Active connected computers\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Computer\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"subtitleContent\":{\"columnMatch\":\"OSInfo\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true},\"dateFormat\":{\"formatName\":\"shortDateTimePattern\"}},\"secondaryContent\":{\"columnMatch\":\"Last update\",\"formatter\":6,\"formatOptions\":{\"showIcon\":true},\"dateFormat\":{\"formatName\":\"shortDateTimePattern\"}},\"showBorder\":true,\"sortCriteriaField\":\"Last update\",\"sortOrderField\":2}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| where Solutions contains \\\"windowsFirewall\\\"\\r\\n| summarize dcount(Computer), ActiveComputers = makeset(Computer) by bin(TimeGenerated, 15m)\",\"size\":4,\"title\":\"Active connected computers timeline\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"ySettings\":{\"min\":0,\"max\":\"\"}}},\"customWidth\":\"33\",\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"----\\r\\n## Firewall events\\r\\n\\r\\nGeneral information about firewall port, IP's, protocols and actions\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let commonPorts = dynamic({\\\"443\\\": \\\"HTTPS\\\", \\\"80\\\":\\\"HTTP\\\", \\\"3389\\\":\\\"RDP\\\", \\\"53\\\":\\\"DNS\\\", \\\"389\\\":\\\"LDAP\\\", \\\"445\\\":\\\"SMB\\\", \\\"135\\\":\\\"RPC\\\", \\\"47001\\\":\\\"WinRM\\\",\\\"22\\\":\\\"ssh\\\", \\\"21\\\": \\\"ftp\\\"}); // Set of common portnames\\r\\nlet param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall \\r\\n| where isnotempty(DestinationPort) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers)) // Filter giver computers from parameter\\r\\n| summarize Dropped = countif(FirewallAction =~ \\\"DROP\\\"), Allowed = countif(FirewallAction =~ \\\"ALLOW\\\"), Total = count() by tostring(DestinationPort), Protocol\\r\\n| extend portName = iff(commonPorts contains DestinationPort, commonPorts[DestinationPort],DestinationPort)\\r\\n| sort by Total desc\\r\\n| project [\\\"Destination Port\\\"] = DestinationPort,['Core Protocol'] = Protocol , [\\\"Default Protocol\\\"] = portName, Total, Allowed, Dropped\",\"size\":0,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Destination Port\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Core Protocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Default Protocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Allowed\",\"formatter\":4,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Dropped\",\"formatter\":4,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"60\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall \\r\\n| where isnotempty(DestinationPort) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))// Filter giver computers from parameter\\r\\n| summarize Allowed = count() by tostring(DestinationPort)\\r\\n| sort by Allowed desc\\r\\n| project DestinationPort, Allowed\",\"size\":0,\"title\":\"Allowed Connections by Port\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"40\",\"name\":\"query - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let commonPorts = dynamic({\\\"443\\\": \\\"HTTPS\\\", \\\"80\\\":\\\"HTTP\\\", \\\"3389\\\":\\\"RDP\\\", \\\"53\\\":\\\"DNS\\\", \\\"389\\\":\\\"LDAP\\\", \\\"445\\\":\\\"SMB\\\", \\\"135\\\":\\\"RPC\\\", \\\"47001\\\":\\\"WinRM\\\",\\\"22\\\":\\\"ssh\\\", \\\"21\\\": \\\"ftp\\\"}); // Set of common portnames\\r\\nlet param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall \\r\\n| where isnotempty(DestinationPort) and isnotempty(DestinationPort) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))// Filter giver computers from parameter\\r\\n| summarize Allowed = count() by tostring(DestinationPort)\\r\\n| extend portName = iff(commonPorts contains DestinationPort, commonPorts[DestinationPort],DestinationPort)\\r\\n| sort by Allowed desc\\r\\n| project portName, Allowed\",\"size\":0,\"title\":\"Piechart by protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let commonPorts = dynamic({\\\"443\\\": \\\"HTTPS\\\", \\\"80\\\":\\\"HTTP\\\", \\\"3389\\\":\\\"RDP\\\", \\\"53\\\":\\\"DNS\\\", \\\"389\\\":\\\"LDAP\\\", \\\"445\\\":\\\"SMB\\\", \\\"135\\\":\\\"RPC\\\", \\\"47001\\\":\\\"WinRM\\\",\\\"22\\\":\\\"ssh\\\", \\\"21\\\": \\\"ftp\\\"}); // Set of common portnames\\r\\nlet param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall\\r\\n| where isnotempty(DestinationPort) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))\\r\\n| extend DestinationPort = tostring(DestinationPort)\\r\\n| extend protocolName = iff(commonPorts has DestinationPort, commonPorts[DestinationPort],Protocol)\\r\\n| summarize Events = count() by bin(TimeGenerated,30m), protocolName\",\"size\":0,\"title\":\"Timechart by protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"66\",\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall\\r\\n| where (Computer == param_Computers or param_Computers contains Computer or param_Computers == \\\"\\\")\\r\\n| summarize Events = count() by FirewallAction\",\"size\":0,\"title\":\"Piechart by firewall action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let param_Computers = \\\"{Computers}\\\";\\r\\nWindowsFirewall\\r\\n| where (Computer == param_Computers or param_Computers contains Computer or param_Computers == \\\"\\\")\\r\\n| summarize Events = count() by bin(TimeGenerated,30m), FirewallAction\",\"size\":0,\"title\":\"Timechart by firewall action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"66\",\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let param_Computers = \\\"{Computers}\\\";\\r\\nSecurityEvent\\r\\n| where AccountType == \\\"User\\\" and isnotempty(IpAddress) and (Computer == param_Computers or param_Computers contains Computer or param_Computers == \\\"\\\")\\r\\n| summarize EventCount = count(), DistinctIPCount = dcount(IpAddress),IPAddresses = makeset(IpAddress) by Account, Computer\\r\\n| top 10 by DistinctIPCount desc\\r\\n| extend machineAccount = strcat(Account,\\\" - \\\",Computer)\\r\\n| project Account, Computer, ['Distinct IP Count'] = DistinctIPCount, ['Event Count'] = EventCount, IPAddresses\",\"size\":0,\"title\":\"Windows Security Events by Account\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Distinct IP Count\",\"formatter\":4,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Event Count\",\"formatter\":4,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"IPAddresses\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Tries\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":8}},\"name\":\"query - 11\"},{\"type\":1,\"content\":{\"json\":\"----\\r\\n## Correlation\\r\\n\\r\\nThese visuals give a representation of the Windows firewall, security log and Azure signins events.\\r\\n\\r\\nResults below could mean a targeted attack to an organization's private and public cloud.Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.
\nInstalling this solution will deploy two data connectors,
\n**NOTE**: Microsoft recommends Installation of Windows Firewall via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.
\nInstalling this solution will deploy two data connectors,
\n**NOTE**: Microsoft recommends Installation of Windows Firewall via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -366,6 +530,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]",