Skip to content

Commit

Permalink
Update AzureFirewall.JSON
Browse files Browse the repository at this point in the history 
Updating the Azure Firewall Sentinel Connector with Resource Specific Logs
  • Loading branch information
@shabaz-github
shabaz-github authored Dec 21, 2023
1 parent 2ab5685 commit ae02383
Showing 1 changed file with 83 additions and 7 deletions.
90 changes: 83 additions & 7 deletions Solutions/Azure Firewall/Data Connectors/AzureFirewall.JSON
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,37 +7,109 @@
"logo": "AzureFirewall.svg",
"graphQueries": [
{
"metricName": "Total data received",
"metricName": "Total data received Legacy Azure Diganostics",
"legend": "AzureDiagnostics",
"baseQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\""
},
{
"metricName": "Total data received Application Rule Logs",
"legend": "ApplicationRule-ResourceSpecific",
"baseQuery": "AZFWApplicationRule"
},
{
"metricName": "Total data received Network Rule Logs",
"legend": "NetworkRule-ResourceSpecific",
"baseQuery": "AZFWNetworkRule"
},
{
"metricName": "Total data received Nat Rule Logs",
"legend": "NatRule-ResourceSpecific",
"baseQuery": "AZFWNatRule"
},
{
"metricName": "Total data received Threat Intel Logs",
"legend": "ThreatIntel-ResourceSpecific",
"baseQuery": "AZFWThreatIntel"
},
{
"metricName": "Total data received IDPS Logs",
"legend": "IDPSSignature-ResourceSpecific",
"baseQuery": "AZFWIdpsSignature"
},
{
"metricName": "Total data received DNS Query Logs",
"legend": "DNSQuery-ResourceSpecific",
"baseQuery": "AZFWDnsQuery"
}
],
"sampleQueries": [
{
"description": "All logs",
"description": "All logs Legacy Azure Diagnostics",
"query": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | sort by TimeGenerated"
},
{
"description": "Threat Intel Matches",
"description": "Threat Intel Matches Legacy Azure Diagnostics",
"query": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | where OperationName == \"AzureFirewallThreatIntelLog\""
},
{
"description": "Log Parser",
"description": "Log Parser Legacy Azure Diagnostics",
"query": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | parse msg_s with Protocol_s 'request from ' SourceHost_s ':' SourcePort_s 'to ' DestinationHost_s ':' DestinationPort_s 'was' Action_s 'to' DNATDestination\n | parse msg_s with Protocol_S 'request from ' SourceHost_S ':' SourcePort_S 'to ' DestinationHost_S ':' DestinationPort_S '. Action:' Action_S\n | extend Protocol = strcat(Protocol_s, Protocol_S), SourceHost = strcat(SourceHost_s, SourceHost_S),SourcePort = strcat(SourcePort_s, SourcePort_S), DestinationHost = strcat(DestinationHost_s, DestinationHost_S), DestinationPort = strcat(DestinationPort_s, DestinationPort_S), Action = strcat(Action_s, Action_S)\n | project TimeGenerated , Protocol , SourceHost , SourcePort , DestinationHost , DestinationPort , DNATDestination , Action , Resource , ResourceGroup , SubscriptionId , OperationName , msg_s\n | sort by TimeGenerated desc"
},
{
"description": "Application Rule Logs - Resource Specific",
"query": "AZFWApplicationRule\n | take 100"
},
{
"description": "Network Rule Logs - Resource Specific",
"query": "AZFWNetworkRule\n | take 100"
},
{
"description": "DNS Proxy Logs - Resource Specific",
"query": "AZFWDnsQuery\n | take 100"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
"AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWApplicationRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNetworkRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWNatRule\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWThreatIntel\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWIdpsSignature\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"AZFWDnsQuery\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [
{
"name": "AzureDiagnostics (Azure Firewall)",
"lastDataReceivedQuery": "AzureDiagnostics | where ResourceType == \"AZUREFIREWALLS\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall Application Rule - Resource Specific",
"lastDataReceivedQuery": "AZFWApplicationRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall Network Rule - Resource Specific",
"lastDataReceivedQuery": "AZFWNetworkRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall Nat Rule - Resource Specific",
"lastDataReceivedQuery": "AZFWNatRule\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall Threat Intelligence - Resource Specific",
"lastDataReceivedQuery": "AZFWThreatIntel\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall IDPS Signature - Resource Specific",
"lastDataReceivedQuery": "AZFWIdpsSignature\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Azure Firewall DNS Query - Resource Specific",
"lastDataReceivedQuery": "AZFWDnsQuery\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
Expand Down Expand Up @@ -72,8 +144,12 @@
]
},
{
"title": "",
"description": "Inside your Firewall resource:\n\n1. Select **Diagnostic logs.​**\n2. Select **+ Add diagnostic setting.​**\n3. In the **Diagnostic setting** blade:\n - Type a **Name**.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: AzureFirewallApplicationRule, AzureFirewallNetworkRule)\n - Click **Save**."
"title": "Legacy Azure Diagnostics",
"description": "Inside your Firewall resource:\n\n1. Select **Diagnostic logs.​**\n2. Select **+ Add diagnostic setting.​**\n3. In the **Diagnostic setting** blade:\n - Type a **Name**.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: AzureFirewallApplicationRule(LegacyAzureDiagnostics), AzureFirewallNetworkRule(LegacyAzureDiagnostics), AzureFirewallDNSProxy(LegacyAzureDiagnostics))\n - Choose the Log Destination Table: AzureDiagnostics\n - Click **Save**."
},
{
"title": "Resource Specific Logs",
"description": "Inside your Firewall resource:\n\n1. Select **Diagnostic logs.​**\n2. Select **+ Add diagnostic setting.​**\n3. In the **Diagnostic setting** blade:\n - Type a **Name**.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallNATRule, AzureFirewallThreatIntelligence, AzureFirewallIDPSSignature, AzureFirewallDNSQuery)\n - Choose the Log Destination Table: ResourceSpecific\n - Click **Save**."
}
]
}

0 comments on commit ae02383

Please sign in to comment.