Azure Firewall_ARM.json

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",
      "defaultValue": "Azure Firewall Workbook",
      "metadata": {
        "description": "The friendly name for the workbook that is used in the Gallery or Saved List.  This name must be unique within a resource group."
      }
    },
    "workbookType": {
      "type": "string",
      "allowedValues": [
          "workbook",
          "sentinel"
        ],
        "defaultValue": "workbook",
      "metadata": {
        "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'"
      }
    },
    "DiagnosticsWorkspaceName": {
      "type": "string",
      "defaultValue": "<WorkspaceName>",
      "metadata": {
        "description": "Provide the workspace name for your Network Diagnostic logs"
      }
    },
    "DiagnosticsWorkspaceSubscription": {
      "type": "string",
      "defaultValue": "<WorkspaceSubscriptionID>",
      "metadata": {
        "description": "Provide the workspace subscription GUID for your Network Diagnostic logs"
      }
    },
    "DiagnosticsWorkspaceResourceGroup": {
      "type": "string",
      "defaultValue": "<ResourceGroupName>",
      "metadata": {
        "description": "Provide the workspace resourcegroupname for your Network Diagnostic logs"
      }
    },
    "workbookId": {
      "type": "string",
      "defaultValue": "[newGuid()]",
      "metadata": {
        "description": "The unique guid for this workbook instance"
      }
    }
  },
  "variables": {
    "workbookSourceId": "[concat('/subscriptions/',parameters('DiagnosticsWorkspaceSubscription'),'/resourcegroups/', parameters('DiagnosticsWorkspaceResourceGroup'), '/providers/Microsoft.OperationalInsights/workspaces/',parameters('DiagnosticsWorkspaceName'))]",
    "workbookContent": {
      "version": "Notebook/1.0",
      "items": [
        {
          "type": 1,
          "content": {
            "json": "## Azure Firewall Workbook\r\n---\r\n"
          },
          "name": "text - 23"
        },
        {
          "type": 11,
          "content": {
            "version": "LinkItem/1.0",
            "style": "tabs",
            "links": [
              {
                "id": "20847ce8-91bc-4d8b-b878-a5a41c95c31c",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall Overview",
                "subTarget": "AFOverview",
                "preText": "Azure Firewall Overview",
                "style": "link"
              },
              {
                "id": "f564709d-1658-46a1-8b44-892210e13017",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall - Application rule log statistics",
                "subTarget": "AFAppRule",
                "style": "link"
              },
              {
                "id": "1f6661e2-f873-4d56-879d-4d085d8cf1d4",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall - Network rule log statistics",
                "subTarget": "AFNetRule",
                "style": "link"
              },
              {
                "id": "ef1548c5-ef55-4eaa-8a81-b049cb93b56c",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall - DNS Proxy",
                "subTarget": "AFDNSProxy",
                "style": "link"
              },
              {
                "id": "18a4a585-2176-4d9f-907c-8e8d5f984efa",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall Premium - IDPS",
                "subTarget": "AFIDSIPS",
                "style": "link"
              },
              {
                "id": "97dc7364-961d-4c19-a730-7b9024f46b91",
                "cellValue": "selectedTab",
                "linkTarget": "parameter",
                "linkLabel": "Azure Firewall - Investigation",
                "subTarget": "AFInvestigate",
                "style": "link"
              }
            ]
          },
          "name": "links - 24"
        },
        {
          "type": 9,
          "content": {
            "version": "KqlParameterItem/1.0",
            "parameters": [
              {
                "id": "ab7d6c51-d7df-436c-96a2-429163aa50ec",
                "version": "KqlParameterItem/1.0",
                "name": "TimeRange",
                "type": 4,
                "isRequired": true,
                "isGlobal": true,
                "value": {
                  "durationMs": 86400000
                },
                "typeSettings": {
                  "selectableValues": [
                    {
                      "durationMs": 300000
                    },
                    {
                      "durationMs": 900000
                    },
                    {
                      "durationMs": 1800000
                    },
                    {
                      "durationMs": 3600000
                    },
                    {
                      "durationMs": 14400000
                    },
                    {
                      "durationMs": 43200000
                    },
                    {
                      "durationMs": 86400000
                    },
                    {
                      "durationMs": 172800000
                    },
                    {
                      "durationMs": 259200000
                    },
                    {
                      "durationMs": 604800000
                    },
                    {
                      "durationMs": 1209600000
                    },
                    {
                      "durationMs": 2419200000
                    },
                    {
                      "durationMs": 2592000000
                    },
                    {
                      "durationMs": 5184000000
                    },
                    {
                      "durationMs": 7776000000
                    }
                  ],
                  "allowCustom": false
                }
              },
              {
                "id": "add90eb3-ff5f-4b19-9658-ff15c8043af5",
                "version": "KqlParameterItem/1.0",
                "name": "Workspaces",
                "type": 5,
                "isRequired": true,
                "multiSelect": true,
                "quote": "'",
                "delimiter": ",",
                "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by name desc",
                "crossComponentResources": [
                  "value::selected"
                ],
                "value": [
                  "value::100"
                ],
                "typeSettings": {
                  "additionalResourceOptions": [
                    "value::100"
                  ]
                },
                "queryType": 1,
                "resourceType": "microsoft.resourcegraph/resources"
              },
              {
                "id": "5084e141-6c56-4d7f-bd8a-09f7ef9af1bc",
                "version": "KqlParameterItem/1.0",
                "name": "Resource",
                "label": "Azure Firewalls",
                "type": 5,
                "isRequired": true,
                "multiSelect": true,
                "quote": "'",
                "delimiter": ",",
                "query": "where type =~ 'Microsoft.Network/azureFirewalls'\r\n| project id, name",
                "crossComponentResources": [
                  "value::selected"
                ],
                "value": [
                  "value::all"
                ],
                "typeSettings": {
                  "additionalResourceOptions": [
                    "value::all"
                  ]
                },
                "queryType": 1,
                "resourceType": "microsoft.resourcegraph/resources"
              },
              {
                "id": "13d9f6e9-9290-4b1e-b0d0-a7c0ebdc1aed",
                "version": "KqlParameterItem/1.0",
                "name": "Help",
                "label": "Show Help",
                "type": 10,
                "description": "This will show some help information to help you understand the page you are on",
                "isRequired": true,
                "typeSettings": {
                  "additionalResourceOptions": []
                },
                "jsonData": "[[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]"
              },
              {
                "id": "68f2cb32-03d4-4307-8eb5-1f66dfc09a85",
                "version": "KqlParameterItem/1.0",
                "name": "FirewallResources",
                "label": "Show Resources",
                "type": 2,
                "description": "The is only used on the Overview page.",
                "typeSettings": {
                  "additionalResourceOptions": [],
                  "showDefault": false
                },
                "jsonData": "[[\r\n { \"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\" }\r\n]",
                "value": "No"
              },
              {
                "id": "53aa8daf-29de-40a1-9147-c0970e32fac4",
                "version": "KqlParameterItem/1.0",
                "name": "GeoLocation",
                "label": "GeoLocationCSV",
                "type": 2,
                "description": "Supplied as a value for GeoLocation lookup on queries: Read more here - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin#ipv4-lookup---matching-rows-only",
                "typeSettings": {
                  "additionalResourceOptions": [],
                  "showDefault": false
                },
                "jsonData": "\r\n[\r\n{\r\n\"value\": \"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\", \"label\": \"GeoLocationDefault\", \"selected\": \"true\"  \r\n}\r\n]\r\n\r\n"
              }
            ],
            "style": "pills",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          },
          "name": "parameters - 1"
        },
        {
          "type": 12,
          "content": {
            "version": "NotebookGroup/1.0",
            "groupType": "editable",
            "items": [
              {
                "type": 1,
                "content": {
                  "json": "### Overview - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|v1.0\t|Initial Version|\r\n|V1.1.0\t|Split up the data sets, Overview, Application Rule Logs, Network Rule Logs, DNS Proxy Logs. Added in Investigation visibility with Azure Firewall + Azure Graph. Added in visibility to multiple workspaces and filtering to Firewall resources. |\r\n|V1.2.0 | Added new filteres, \"Show Help\", \"Show Resources\", \"GeoLocationCSV\", Updated query parsing to the Overview queries. Improved overall performance in large data scale performance with new parsing requirements."
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  },
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFOverview"
                  }
                ],
                "name": "text - 40"
              },
              {
                "type": 1,
                "content": {
                  "json": "### Azure Firewall - App Rules - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|v1.0.0 | Initial Version\r\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added Web Category."
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFAppRule"
                  },
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  }
                ],
                "name": "text - 63"
              },
              {
                "type": 1,
                "content": {
                  "json": "### Azure Firewall - Network Rule - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|V1.0.0 | Initial Version\r\n|V1.2.0 | Added in new Querires for Azure Firewall features, parsing is now used differently. Added in GeoLocation queries, updated main query to use GeoLocation data."
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  },
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFNetRule"
                  }
                ],
                "name": "text - 64"
              },
              {
                "type": 1,
                "content": {
                  "json": "### Azure Firewall - DNSProxy - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|V1.1.0 | Initial Version\r\n|V1.2.0 | No modifications were made"
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  },
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFDNSProxy"
                  }
                ],
                "name": "text - 65"
              },
              {
                "type": 1,
                "content": {
                  "json": "### Azure Firewall Prem - IDPS - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|V1.2.0 | Initial Version"
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFIDSIPS"
                  },
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  }
                ],
                "name": "text - 66"
              },
              {
                "type": 1,
                "content": {
                  "json": "### Azure Firewall Prem - IDPS - Change Log\r\n|Version|Description|\r\n|---|---|\r\n|V1.0.0 | Initial Version\r\n|V1.2.0 | Added IDPS Logs to the investgation experience, Added in GeoLocation infromation. Updated the KQL logic to be faster for large data volume."
                },
                "conditionalVisibilities": [
                  {
                    "parameterName": "Help",
                    "comparison": "isEqualTo",
                    "value": "Change Log"
                  },
                  {
                    "parameterName": "selectedTab",
                    "comparison": "isEqualTo",
                    "value": "AFInvestigate"
                  }
                ],
                "name": "text - 67"
              }
            ]
          },
          "name": "ChangeLogGroup"
        },
        {
          "type": 12,
          "content": {
            "version": "NotebookGroup/1.0",
            "groupType": "editable",
            "items": [
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall - Overview page has the following features.\r\n\r\n- All Firewall Data Log Analytics Volume (Total)\r\n- All Firewall Data Log Analytics Volume (Per Firewall)\r\n- All Firewall Event Categories\r\n- All Firewall Event Categories over time\r\n- Azure Firewall Metrics data\r\n  - Traffic\r\n  - SNAT Port\r\n  - Network Rule Count\r\n  - Application Rule Count\r\n\r\n##### How to use this page?\r\n\r\nStart by looking at the workbook filters, examples would be TimeRange, Workspace, Azure Firewall. Note these are filtered based on your azure portal settings of \"Default subscription filter\". Selecting more resources or more workspaces has an impact on speed of results depending on the data volume of your workspaces. Why TimeRange is a large factor when looking at looking at extremely large data sets of volume(example over 1 Billion logs) so multiple filters have been offered to finetune the results without having to build your own queries.\r\n\r\nIf this is your first time looking at this workbook, my suggestion is to use 14 days(this is the fastest cached data in Log Analytics), a single workspace, a single firewall, if you're wanting to see the results of one firewall. Best to know where your firewall is sending it's logs too to confirm you didn't select a workspace that doesn't have that firewalls data. How to check, go to the Azure Firewall, click Diagnostic settings, see what Log Analytics workspace is currently configured.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, and sending to workspace your azure ad user had RBAC permissions to. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace.\r\n- Azure Metrics requires resource permissions of the Firewall you're wanting data on. "
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFOverview"
                },
                "name": "text - 59"
              },
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall - Application rule log statistics page has the following features.\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- Unique Source IP Address*\r\n- Application Rule Usage\r\n- Denied/Allowed FQDN over time\r\n- Denied/Allowed FQDN count\r\n- Denied/Allowed Web Categories over time\r\n- Denied/Allowed Web Categories count\r\n- Pre-parsed Azure Firewall Application Rule Logs with a search feature.\r\n\r\n##### How to use this page?\r\n\r\nIf  you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll see the unique source of IP addresses based on the global filters you have in place, this is showing only the top 10 IPAddresses, you can modify the KQL query to show more if needed if you click the \"Edit\" button. We added in the logic to show the volume over time, under the IP address/count information. If you click on the highest count (my example is 415,786 count, 10.0.24.4 ipaddress) it'll filter everything on the Application rule log statistic page to this IP address specifically. (Only Exception is the Rule Usage). Note this could cause other data sets to become blank as a result, sometimes you only have Approved or Denied access based on the configuration of the firewall.\r\n\r\nIf you're wanting to search for something a little more specific other than IPAddress filter, you can use the \"Search\" bar under the \"All IP Address events\" query to create a custom filter to the parsed logs. Example could be an FQDN \"wdcp.microsoft.com\" to pull up those logs specifically with that name in it.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, specifically requires Application Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFAppRule"
                },
                "name": "text - 1"
              },
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall - Network rule log statistics page has the following features.\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- Rule Actions*\r\n\r\n- Target Ports*\r\n\r\n- DNAT Actions*\r\n\r\n- GeoLocation\r\n\r\n- Actions over time(Time scrub enabled)\r\n\r\n- Pre-parsed Network Rule data with GeoLocation added\r\n\r\n  *Note: GeoLocation is using an public file, you have to modify your GeoLocation Global Filter tab to add your own data.*\r\n\r\n##### How to use this page?\r\n\r\nIf  you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll get see pie charts on the screen, each of these can be clicked on to filter the data below. You'll have to click on the color of the wheel in order to use the filter feature. Downfall of this, if it's an extremely small data set, its hard to click on that color due to the challenge of even seeing it. These filters are a top down approach, meaning what clicked on top, filters below. If you'd like, feel free to test this out now. Under \"Target Ports, filterable by Target Port\" find port 53 ( pretty common port). Click on the wheel with the color that's associated to port 53. You'll see everything change below only showing data that has port 53 associated to it. If you'd like to remove this filter you have a few options. \r\n\r\n1. Click the \"Go back\" at the top right of the wheel\r\n2. Refresh the whole workbook\r\n3. Refresh the whole browser window\r\n\r\n*A note about the new feature added \"GeoLocation\", this is public data shared through the Log Analytics developer team to show the feature to associate IP addresses with a GeoLocation file. This had been added to the workbook to show you what's possible, it's encouraged for you to use your own data which could be further enriched. If you had Lat/Long data, you could even add in a map feature into this workbook to show you where the traffic is mostly.*\r\n\r\nMid-way down the page you'll see the \"Actions, by time\", if we saw a large spike and wanted to lower the window of traffic, select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th. When i was looking over 14 days of time. This will filter the \"All IP Addresses events\" down to this new time window.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, specifically requires Network Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFNetRule"
                },
                "name": "text - 2"
              },
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall - DNS Proxy page has the following features.\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- DNS Traffic by count (Time scrub enabled)\r\n- DNS Proxy by Request Name, by Count*\r\n- DNS Proxy Request by ClientIP, by Count*\r\n- Count over time of Proxy Requests by ClientIP\r\n- Pre-parsed DNS Proxy data\r\n\r\n##### How to use this page?\r\n\r\nIf  you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll see the DNS Proxy traffic count, this is a great way to start to narrow down the proxy traffic over a period of time. Example we're looking at the 14 day window, but there was an odd spike or dip in proxy traffic, why? use the time scrub feature to select on the left side(where you're wanting to start, before the event occurred) drag, and move it over to the right. Example March 24th - March 27th.\r\n\r\nAfter adding our second time filter to the page, move forward to looking at the DNS requests. You might see a large spike in a specific DNS request, could be something you're not even familiar with. Using an example, i see a DNS request for \"md-fpp31tsvhx4s.blob.core.windows.net\" for 300K times in my current filters. By selecting this Request Name, it'll filter on the right showing me which clients are requesting this DNS traffic. Which after clicking on my request, i see 2 different IP addresses now. Oddly though, one is much smaller than the other. Lets select that Ip address to add an additional filter to the logs. Now we can see the logs related to that machine client ip, specifically around that DNS request name. This might help you narrow down if there are any actions that need to be taken on your firewall.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Diagnostic settings enabled, specifically requires DNS Proxy Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFDNSProxy"
                },
                "name": "text - 3"
              },
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall Premium- IDPS page has the following features.\r\n\r\n*As noted on the title, these logs are only created on the Azure Firewall Premium sku*\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- IDPS Actions Count*\r\n- IDPS Protocol Count*\r\n- IDPS SignatureID Count*\r\n- IDPS SourceIP Count*\r\n- Azure Firewall IDPS count over time (Time Scrub Enabled)\r\n- Azure Firewall IDPS logs with GeoLocation\r\n\r\n##### How to use this page?\r\n\r\nIf  you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nStarting out you'll see Pie Charts offering multiple filtering options to your IDPS logs, showing Alerts, Protocols, SignatureIDs and Sources of the logs. Lets start by selecting an ClientIP address(SourceIP) under the \"IDPS SourceIP Count, filterable by SourceIP\". I clicked on the largest one, you might of noticed most of the traffic under the IDPS logs are alerts, Mostly TCP to this ClientIP address and there could be some specific SignatureID's are being triggered. Looking further into the logs, you should expand the Source IP to see the different IP Addresses this client has talked to within the past 14 days(current global filter). The majority of the traffic is going to XX.XX.XX.XX, which is something to remember.\r\n\r\nGoing further down, you might noticed a spike in traffic, lets use the time scrub feature to narrow down the time window to that spike. Start by selecting on the left side(where you're wanting to start time to be, before the event occurred) drag, and move it over to the right(the end time). Example March 24th - March 27th.\r\n\r\n*Note; The GeoLocation + Data can take a long time to refresh.*\r\n\r\nYou should now be able to see data we filtered down to, with it based on  GeoLocation/Signature ID's\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- Azure Firewall Premium Diagnostic settings enabled, specifically requires IDPS Diagnostic logs to be enabled for the workspace. You need a minimum of read rights to the AzureDiagnostics table within the Log Analytics workspace."
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFIDSIPS"
                },
                "name": "text - 4"
              },
              {
                "type": 1,
                "content": {
                  "json": "##### What's on this page?\r\n\r\nThe Azure Firewall - Investigation page has the following features.\r\n\r\n*Note, this is a combination of all the logs within the Azure Firewall workbook. Some logs are from the Azure Firewall Premium sku*\r\n\r\nAnything that can be used as a filter within the workbook, you'll see a * next to it. If it's filterable, this mean you can click on something within the data set that will be pushed down the workbook for more additional filtering.\r\n\r\n- IFQDN Traffic by Count*\r\n- SourceIP Address*\r\n- SourceIPAddress Resource Lookup (Azure Resource Graph)\r\n- FQDN Lookup logs\r\n- Azure Firewall Threat Intel\r\n- Azure Firewall Premium with GeoLocation- IDPS\r\n\r\n##### How to use this page?\r\n\r\nIf  you're not comfortable with the filters on this workbook, my suggestion is to use the get-help on the overview page to get started.\r\n\r\nThis is the page where we narrow down everything, You should considering adding your own twist based on your own investigations to this page. Leverage this as a template of where to start and how to move forward.\r\n\r\nStarting out we see FQDN and IP Address are the page's first filters offered.\r\n\r\nLooking at source count, you might see something that has a large count. Like the following example \"watson.telemetry.microsoft.com\".  Click on the \"Deny\"/'Count' line to use the filter feature for the whole page.\r\n\r\nThis narrowed down our large list of client (SourceIP) address to a smaller list, which could be used to find out which client is being the loudest or maybe something that sneaked in that wasn't suppose to be talking to this FQDN in the first place. Click on an IPAddress(SourceIP). \r\n\r\nAzure Resource Graph is then used to find which machine this is, which Azure Resource NIC, Public IP address, Subnet, etc.\r\n\r\nUse the other data sets to help see the logs you've filtered based on the FQDN + IPAddress above. \r\n\r\n*Note, FQDN isn't required for the Azure Resource Graph lookup.*\r\n\r\nSome log sources might be blank, that's perfectly acceptable in this scenario as we're filtering down to alerts and events.\r\n\r\n##### What's required for this workbook to function?\r\n\r\n- All Azure Firewall Diagnostic Logs\r\n- RBAC Permissions for Azure Resource Graph lookup."
                },
                "conditionalVisibility": {
                  "parameterName": "selectedTab",
                  "comparison": "isEqualTo",
                  "value": "AFInvestigate"
                },
                "name": "text - 5"
              }
            ]
          },
          "conditionalVisibility": {
            "parameterName": "Help",
            "comparison": "isEqualTo",
            "value": "Yes"
          },
          "name": "Get-Help"
        },
        {
          "type": 1,
          "content": {
            "json": "# Azure Firewall - overview"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "Main title"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "where type =~ 'Microsoft.Network/azureFirewalls'\r\n| extend Tier = trim(' ', tostring(properties.sku.tier))\r\n| extend Status = trim(' ', tostring(iif(isempty(properties.ipConfigurations.[0].properties.provisioningState),properties.provisioningState,properties.ipConfigurations.[0].properties.provisioningState)))\r\n| extend Premium = iff(Tier == \"Premium\", \"Yes\", \"No\")\r\n| extend Standard = iff(Tier == \"Standard\", \"Yes\", \"No\")\r\n| extend ProvisionedState = iff(Status == \"Succeeded\", \"Running\", \"Not Running\")\r\n| extend Policy = trim(' ', tostring(properties.firewallPolicy.id))\r\n| extend ApplicationRule1 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\r\n| extend ApplicationRule2 = trim(' ', tostring(properties.applicationRuleCollections.[0].id))\r\n| extend ApplicationRule3 = iff(ApplicationRule1 == \"\", \"N/A\", \"\")\r\n| extend ApplicationRule4 = iff(ApplicationRule2 contains \"subscription\", \"Configured\", \"\")\r\n| extend ApplicationRuleClassic = strcat(ApplicationRule3, ApplicationRule4)\r\n| extend NetworkRule1 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\r\n| extend NetworkRule2 = trim(' ', tostring(properties.networkRuleCollections.[0].id))\r\n| extend NetworkRule3 = iff(NetworkRule1 == \"\", \"N/A\", \"\")\r\n| extend NetworkRule4 = iff(NetworkRule1 contains \"subscription\", \"Configured\", \"\")\r\n| extend NetworkRuleClassic = strcat(NetworkRule3, NetworkRule4)\r\n| project Firewall=id, Premium, Standard, ProvisionedState,FirewallPolicy= Policy, ApplicationRuleClassic, NetworkRuleClassic, location, resourceGroup, subscriptionId, tenantId",
            "size": 1,
            "title": "Azure Firewall Resource List",
            "queryType": 1,
            "resourceType": "microsoft.resourcegraph/resources",
            "crossComponentResources": [
              "value::selected"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "Premium",
                  "formatter": 18,
                  "formatOptions": {
                    "thresholdsOptions": "colors",
                    "thresholdsGrid": [
                      {
                        "operator": "==",
                        "thresholdValue": "Yes",
                        "representation": "green",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "==",
                        "thresholdValue": "No",
                        "representation": "grayBlue",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "Default",
                        "thresholdValue": null,
                        "representation": null,
                        "text": "{0}{1}"
                      }
                    ]
                  }
                },
                {
                  "columnMatch": "Standard",
                  "formatter": 18,
                  "formatOptions": {
                    "thresholdsOptions": "colors",
                    "thresholdsGrid": [
                      {
                        "operator": "==",
                        "thresholdValue": "Yes",
                        "representation": "green",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "==",
                        "thresholdValue": "No",
                        "representation": "grayBlue",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "Default",
                        "thresholdValue": null,
                        "representation": null,
                        "text": "{0}{1}"
                      }
                    ]
                  }
                },
                {
                  "columnMatch": "ProvisionedState",
                  "formatter": 18,
                  "formatOptions": {
                    "thresholdsOptions": "colors",
                    "thresholdsGrid": [
                      {
                        "operator": "==",
                        "thresholdValue": "Running",
                        "representation": "green",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "==",
                        "thresholdValue": "Not Running",
                        "representation": "grayBlue",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "Default",
                        "thresholdValue": null,
                        "text": "{0}{1}"
                      }
                    ]
                  }
                },
                {
                  "columnMatch": "ApplicationRuleClassic",
                  "formatter": 18,
                  "formatOptions": {
                    "thresholdsOptions": "colors",
                    "thresholdsGrid": [
                      {
                        "operator": "==",
                        "thresholdValue": "N/A",
                        "representation": "gray",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "Default",
                        "thresholdValue": null,
                        "representation": "green",
                        "text": "{0}{1}"
                      }
                    ]
                  }
                },
                {
                  "columnMatch": "NetworkRuleClassic",
                  "formatter": 18,
                  "formatOptions": {
                    "thresholdsOptions": "colors",
                    "thresholdsGrid": [
                      {
                        "operator": "==",
                        "thresholdValue": "N/A",
                        "representation": "gray",
                        "text": "{0}{1}"
                      },
                      {
                        "operator": "Default",
                        "thresholdValue": null,
                        "representation": "green",
                        "text": "{0}{1}"
                      }
                    ]
                  }
                }
              ]
            }
          },
          "customWidth": "100",
          "conditionalVisibility": {
            "parameterName": "FirewallResources",
            "comparison": "isEqualTo",
            "value": "Yes"
          },
          "name": "query - 60",
          "styleSettings": {
            "margin": "0"
          }
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics \r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by bin(TimeGenerated, {TimeRange:grain})",
            "size": 0,
            "title": "Events, by time: Query Time({$queryTime})",
            "noDataMessage": "There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 4,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "query - 16"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where ResourceType == \"AZUREFIREWALLS\" \r\n| summarize Volume=count() by Resource, bin(TimeGenerated, {TimeRange:grain})",
            "size": 0,
            "title": "Events, by firewall over time: Query Time({$queryTime})",
            "noDataMessage": "There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 4,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportParameterName": "TopEvent",
            "exportDefaultValue": "{\"Resource\":\"*\",\"ResourceGroup\":\"*\"}",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "linechart",
            "tileSettings": {
              "titleContent": {
                "columnMatch": "Resource",
                "formatter": 1
              },
              "leftContent": {
                "columnMatch": "amount",
                "formatter": 12,
                "formatOptions": {
                  "palette": "auto"
                },
                "numberFormat": {
                  "unit": 17,
                  "options": {
                    "maximumSignificantDigits": 3,
                    "maximumFractionDigits": 2
                  }
                }
              },
              "showBorder": true
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "Firewall per Resource Group"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| project Category, ResourceType, OperationName);\r\nunion\r\n(\r\nmaterializedData\r\n    | where OperationName == \"AzureFirewallIDSLog\"\r\n    | summarize Volume=count() by OperationName\r\n    | project Category=OperationName, Volume\r\n),\r\n(\r\nmaterializedData\r\n    | where OperationName == \"AzureFirewallThreatIntelLog\"\r\n    | summarize Volume=count() by OperationName\r\n    | project Category=OperationName, Volume\r\n),\r\n(\r\nmaterializedData\r\n    | where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n    | where OperationName <> \"AzureFirewallIDSLog\"\r\n    | summarize Volume=count() by Category\r\n)\r\n| sort by Volume desc",
            "size": 0,
            "title": "Events, by category: Query Time({$queryTime})",
            "noDataMessage": "There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 4,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "Category",
            "exportParameterName": "SelectedCategory",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart",
            "tileSettings": {
              "showBorder": false,
              "titleContent": {
                "columnMatch": "Category",
                "formatter": 1
              },
              "leftContent": {
                "columnMatch": "Volume",
                "formatter": 12,
                "formatOptions": {
                  "palette": "auto"
                },
                "numberFormat": {
                  "unit": 17,
                  "options": {
                    "maximumSignificantDigits": 3,
                    "maximumFractionDigits": 2
                  }
                }
              }
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "Events by category"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| project Category, ResourceType, OperationName, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n    | where OperationName == \"AzureFirewallIDSLog\"\r\n    | summarize Volume=count() by OperationName, bin(TimeGenerated, {TimeRange:grain})\r\n    | project Category=OperationName, Volume, TimeGenerated\r\n),\r\n(\r\nmaterializedData\r\n    | where OperationName == \"AzureFirewallThreatIntelLog\"\r\n    | summarize Volume=count() by OperationName, bin(TimeGenerated, {TimeRange:grain})\r\n    | project Category=OperationName, Volume, TimeGenerated\r\n),\r\n(\r\nmaterializedData\r\n    | where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n    | where OperationName <> \"AzureFirewallIDSLog\"\r\n    | summarize Volume=count() by Category, bin(TimeGenerated, {TimeRange:grain})\r\n)\r\n| sort by Volume desc",
            "size": 0,
            "title": "Events categories, by time: Query Time({$queryTime})",
            "noDataMessage": "There are no firewall events being feed within the selected workspaces. If you believe the selection is correct, confirm logging has been enabled for the Azure Firewall and feeding into the selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 4,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "Events categories by time"
        },
        {
          "type": 1,
          "content": {
            "json": "### Firewall Metrics\r\nThe data below dosen't read from the Log Analytics workpsace, it's reading directly from the resources which requires resource visibility. \r\nClick [here for more information on Azure Metrics](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metrics)\r\n",
            "style": "info"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "text - 39"
        },
        {
          "type": 10,
          "content": {
            "chartId": "workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15",
            "version": "MetricsItem/2.0",
            "size": 0,
            "chartType": 2,
            "resourceType": "microsoft.network/azurefirewalls",
            "metricScope": 0,
            "resourceParameter": "Resource",
            "resourceIds": [
              "{Resource}"
            ],
            "timeContextFromParameter": "TimeRange",
            "timeContext": {
              "durationMs": 86400000
            },
            "metrics": [
              {
                "namespace": "microsoft.network/azurefirewalls",
                "metric": "microsoft.network/azurefirewalls--Throughput",
                "aggregation": 4,
                "splitBy": null,
                "columnName": "All Firewall Throughput Average"
              }
            ],
            "title": "Average Throughput of Firewall Traffic",
            "gridSettings": {
              "rowLimit": 10000
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "metric - 25"
        },
        {
          "type": 10,
          "content": {
            "chartId": "workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15",
            "version": "MetricsItem/2.0",
            "size": 0,
            "chartType": 2,
            "resourceType": "microsoft.network/azurefirewalls",
            "metricScope": 0,
            "resourceParameter": "Resource",
            "resourceIds": [
              "{Resource}"
            ],
            "timeContextFromParameter": "TimeRange",
            "timeContext": {
              "durationMs": 86400000
            },
            "metrics": [
              {
                "namespace": "microsoft.network/azurefirewalls",
                "metric": "microsoft.network/azurefirewalls--SNATPortUtilization",
                "aggregation": 4,
                "splitBy": null
              }
            ],
            "title": "SNAT Port Utilization",
            "gridSettings": {
              "rowLimit": 10000
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "metric - 25 - Copy"
        },
        {
          "type": 10,
          "content": {
            "chartId": "workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15",
            "version": "MetricsItem/2.0",
            "size": 0,
            "chartType": 2,
            "resourceType": "microsoft.network/azurefirewalls",
            "metricScope": 0,
            "resourceParameter": "Resource",
            "resourceIds": [
              "{Resource}"
            ],
            "timeContextFromParameter": "TimeRange",
            "timeContext": {
              "durationMs": 86400000
            },
            "metrics": [
              {
                "namespace": "microsoft.network/azurefirewalls",
                "metric": "microsoft.network/azurefirewalls--NetworkRuleHit",
                "aggregation": 1,
                "splitBy": null
              }
            ],
            "title": "Network Rule Hitcount (SUM)",
            "gridSettings": {
              "rowLimit": 10000
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "metric - 25 - Copy - Copy"
        },
        {
          "type": 10,
          "content": {
            "chartId": "workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15",
            "version": "MetricsItem/2.0",
            "size": 0,
            "chartType": 2,
            "resourceType": "microsoft.network/azurefirewalls",
            "metricScope": 0,
            "resourceParameter": "Resource",
            "resourceIds": [
              "{Resource}"
            ],
            "timeContextFromParameter": "TimeRange",
            "timeContext": {
              "durationMs": 86400000
            },
            "metrics": [
              {
                "namespace": "microsoft.network/azurefirewalls",
                "metric": "microsoft.network/azurefirewalls--ApplicationRuleHit",
                "aggregation": 1,
                "splitBy": null
              }
            ],
            "title": "Application Rule Hitcount (SUM)",
            "gridSettings": {
              "rowLimit": 10000
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFOverview"
          },
          "name": "metric - 25 - Copy - Copy - Copy"
        },
        {
          "type": 1,
          "content": {
            "json": "---\r\n# Azure Firewall - Application rule log statistics"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "text - 14"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| summarize Amount=count() by SourceIP\r\n| join kind = inner\r\n( union (\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n    | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP) on SourceIP\r\n    | project-away SourceIP1, TimeGenerated\r\n    | top 10 by Amount\r\n    | sort by Amount\r\n",
            "size": 1,
            "title": "Unique Source IP addresses, filterable by SelectedSourceIP: Query Time ({$queryTime})",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "SourceIP",
            "exportParameterName": "SelectedSourceIP",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "barchart",
            "tileSettings": {
              "titleContent": {
                "columnMatch": "Amount",
                "formatter": 12,
                "formatOptions": {
                  "showIcon": true
                }
              },
              "subtitleContent": {
                "columnMatch": "SourceIP",
                "formatter": 1,
                "formatOptions": {
                  "showIcon": true
                }
              },
              "secondaryContent": {
                "columnMatch": "Trend",
                "formatter": 9,
                "formatOptions": {
                  "showIcon": true
                }
              },
              "showBorder": false
            },
            "graphSettings": {
              "type": 0,
              "topContent": {
                "columnMatch": "SourceIP",
                "formatter": 1
              },
              "centerContent": {
                "columnMatch": "Amount",
                "formatter": 1,
                "numberFormat": {
                  "unit": 17,
                  "options": {
                    "maximumSignificantDigits": 3,
                    "maximumFractionDigits": 2
                  }
                }
              }
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 4"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| summarize Count = count(), last_log = datetime_diff(\"second\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory",
            "size": 1,
            "title": "Application Rule Usage : Query Time ({$queryTime})",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "Count",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                },
                {
                  "columnMatch": "last_log",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "greenRed"
                  },
                  "numberFormat": {
                    "unit": 24,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false
                    }
                  }
                }
              ],
              "sortBy": [
                {
                  "itemKey": "$gen_heatmap_last_log_4",
                  "sortOrder": 1
                }
              ]
            },
            "sortBy": [
              {
                "itemKey": "$gen_heatmap_last_log_4",
                "sortOrder": 1
              }
            ]
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 36"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where Action == \"Deny\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"  \r\n| summarize count() by FQDN, bin(TimeGenerated,{TimeRange:grain})",
            "size": 0,
            "title": "Denied FQDN's over time",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart",
            "tileSettings": {
              "showBorder": false
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 3"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where Action == \"Deny\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"  \r\n| summarize count() by FQDN\r\n| sort by count_ desc\r\n",
            "size": 0,
            "showAnalytics": true,
            "title": "Denied FQDN's by count",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ],
              "sortBy": [
                {
                  "itemKey": "$gen_heatmap_count__1",
                  "sortOrder": 2
                }
              ]
            },
            "sortBy": [
              {
                "itemKey": "$gen_heatmap_count__1",
                "sortOrder": 2
              }
            ]
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 7"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n        and msg_s !has \"No rule matched\"\r\n        and msg_s !has \". Rule Collection Group: \"\r\n        and msg_s !has \". Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \" Rule Collection\"\r\n        and msg_s has \" Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| where Action == \"Allow\"\r\n| summarize count() by FQDN, bin(TimeGenerated,{TimeRange:grain})\r\n",
            "size": 0,
            "title": "Allowed FQDN's over time",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 5"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\n    materialize(\r\n    AzureDiagnostics\r\n    | where Category == \"AzureFirewallApplicationRule\"\r\n    | where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n    | project msg_s, Resource, TimeGenerated);\r\nlet parsedTable = union\r\n    (\r\n    materializedData\r\n    | where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s has \". Url\"\r\n        and msg_s has \". No rule matched\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s has \". No rule matched\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"Rule Collection\"\r\n        and msg_s !has \" Reason: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"Rule Collection\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n    | where msg_s has \" Reason:\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n        and msg_s !has \"No rule matched\"\r\n        and msg_s !has \". Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \"Rule Collection Group\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| where Action == \"Allow\"\r\n| where '*' == SourceIP or '*' == \"*\"   \r\n//| summarize count() by FQDN\r\n//| sort by count_ desc;\r\n;\r\nlet cntTbl = parsedTable\r\n| summarize  count() by FQDN;\r\nparsedTable\r\n| join cntTbl on FQDN\r\n| project FQDN, count_, Rule, RuleCollection\r\n| order by count_ desc",
            "size": 0,
            "showAnalytics": true,
            "title": "Allowed FQDN's by count",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            },
            "sortBy": []
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 2"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n        and msg_s !has \"No rule matched\"\r\n        and msg_s !has \". Rule Collection Group: \"\r\n        and msg_s !has \". Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \" Rule Collection\"\r\n        and msg_s has \" Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| where isnotempty(WebCategory)\r\n| where Action == \"Allow\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"  \r\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\r\n",
            "size": 0,
            "title": "Allowed Web Categories over time",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart",
            "chartSettings": {
              "showLegend": true
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 5 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n        and msg_s !has \"No rule matched\"\r\n        and msg_s !has \". Rule Collection Group: \"\r\n        and msg_s !has \". Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \" Rule Collection\"\r\n        and msg_s has \" Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| where isnotempty(WebCategory)\r\n| where Action == \"Allow\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"\r\n| summarize count() by WebCategory\r\n| sort by count_ desc\r\n",
            "size": 0,
            "title": "Allowed Web Categories by count",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            },
            "chartSettings": {
              "showLegend": true
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 5 - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where isnotempty(WebCategory)\r\n| where Action == \"Deny\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"  \r\n| summarize count() by WebCategory, bin(TimeGenerated,{TimeRange:grain})\r\n",
            "size": 0,
            "title": "Denied Web Categories over time",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart",
            "chartSettings": {
              "showLegend": true
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 5 - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where isnotempty(WebCategory)\r\n| where Action == \"Deny\"\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"\r\n| summarize count() by WebCategory\r\n| sort by count_ desc",
            "size": 0,
            "showAnalytics": true,
            "title": "Denied Web Catgories by count",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            },
            "sortBy": []
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 2 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n         and msg_s !has \"Rule Collection Group:\"\r\n        and msg_s !has \"No rule matched\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \"Rule Collection Group:\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| where '{SelectedSourceIP}' == SourceIP or '{SelectedSourceIP}' == \"*\"  \r\n| summarize by TimeGenerated, FQDN, Protocol, Action, SourceIP, SourcePort, DestinationPort , ResourceId , ResourceGroup , RuleCollection, Rule, WebCategory, SubscriptionId\r\n| order by TimeGenerated desc \r\n",
            "size": 0,
            "showAnalytics": true,
            "title": "All IP addresses events: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "There are no Application Rule logs within the selected workspaces. If you believe the selection is correct, confirm Application Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "rowLimit": 2000,
              "filter": true
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFAppRule"
          },
          "name": "query - 9"
        },
        {
          "type": 1,
          "content": {
            "json": "---\r\n# Azure Firewall - Network rule log statistics"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "text - 14"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| summarize count() by Action",
            "size": 3,
            "title": "Rule actions, filterable by RuleAction",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "RuleAction",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 7"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| summarize Count=count() by DestinationPort",
            "size": 3,
            "title": "Target ports, filterable by TargetPort",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "DestinationPort",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 10"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where Action == \"DNAT'ed\"\r\n| summarize Amount=count() by NatDestination\r\n",
            "size": 3,
            "title": "DNAT actions, filterable by NatDestination",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "NatDestination",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 12"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin\r\nlet geoData = externaldata\r\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\r\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\r\n[@\"{GeoLocation}\"] with (ignoreFirstRecord=true, format=\"csv\");\r\nlet materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| project DestinationIP\r\n| evaluate ipv4_lookup (geoData, DestinationIP,  network, false)\r\n| summarize count() by continent_name\r\n",
            "size": 2,
            "title": "GeoLocation",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showRefreshButton": true,
            "exportFieldName": "series",
            "exportParameterName": "netcontinent",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 61"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"\r\n| summarize amount = count() by Action , SourceIP\r\n| sort by amount desc",
            "size": 0,
            "title": "Rule actions, by IP addresses",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "Action",
                  "formatter": 5
                },
                {
                  "columnMatch": "amount",
                  "formatter": 3,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "maximumSignificantDigits": 4
                    }
                  }
                },
                {
                  "columnMatch": "eventCount",
                  "formatter": 3,
                  "formatOptions": {
                    "min": 0,
                    "palette": "blue"
                  }
                }
              ],
              "rowLimit": 2000,
              "filter": true,
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "Action"
                ],
                "expandTopLevel": false,
                "finalBy": "Action"
              }
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 8"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"   \r\n| summarize AMOUNT=count() by DestinationPort, SourceIP\r\n| sort by AMOUNT desc",
            "size": 0,
            "title": "Target ports, by Source IP: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "DestinationPort",
                  "formatter": 5
                },
                {
                  "columnMatch": "AMOUNT",
                  "formatter": 3,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ],
              "rowLimit": 2000,
              "filter": true,
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "DestinationPort"
                ],
                "expandTopLevel": false
              }
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 11"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where Action == \"DNAT'ed\"\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"\r\n| summarize Amount=count() by NatDestination, bin(TimeGenerated, {TimeRange:grain})\r\n",
            "size": 0,
            "title": "DNAT'ed over time",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 13"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin\r\nlet geoData = externaldata\r\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\r\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\r\n[@\"{GeoLocation}\"] with (ignoreFirstRecord=true, format=\"csv\");\r\nlet materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"\r\n| project DestinationIP, TimeGenerated\r\n| evaluate ipv4_lookup (geoData, DestinationIP,  network, false)\r\n| summarize Amount=count() by continent_name, bin(TimeGenerated, {TimeRange:grain})\r\n\r\n",
            "size": 0,
            "title": "GeoLocation over time",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 13 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"\r\n| summarize count() by Action, bin(TimeGenerated, {TimeRange:grain})\r\n",
            "size": 0,
            "title": "Actions, by time",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "timeBrushParameterName": "ActionsByTimeBrush",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 15"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin\r\nlet geoData = externaldata\r\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\r\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\r\n[@\"{GeoLocation}\"] with (ignoreFirstRecord=true, format=\"csv\");\r\nlet materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName <> \"AzureFirewallThreatIntelLog\"\r\n| where OperationName <> \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\n// Azure Firewall Networking - Standard Log\r\nmaterializedData\r\n| where msg_s !has \"Type=\" and msg_s !has \"DNAT'ed\" and msg_s !has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking with ICMP\r\nmaterializedData\r\n| where msg_s has \"Type=\"\r\n| parse msg_s with Protocol \" Type=\" ICMPType \" request from \" SourceIP \" to \" DestinationIP \". Action: \" Action\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule - Standard\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s !has \". Rule Collection:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Networking DNAT rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"DNAT'ed\" and msg_s has \". Rule Collection:\" and msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \" was \" Action \" to \" NatDestination \". Policy: \" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall not using policy)\r\nmaterializedData\r\n| where msg_s has \"Rule Collection:\" and msg_s !has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n),\r\n(\r\n// Azure Firewall Network rule (firewall using policy)\r\nmaterializedData\r\n| where msg_s has \"Policy:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestinationIP \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule Name: \" Rule\r\n)\r\n| where '{DestinationPort}' == DestinationPort or '{DestinationPort}' == \"*\"\r\n| where \"{RuleAction}\" == Action or \"{RuleAction}\" == \"*\"\r\n| where '{NatDestination}' == NatDestination or '{NatDestination}' == \"*\"\r\n| summarize by TimeGenerated,Protocol, ICMPType, Action,SourceIP, SourcePort, DestinationIP , DestinationPort , NatDestination, ResourceId , ResourceGroup , SubscriptionId\r\n| evaluate ipv4_lookup (geoData, DestinationIP,  network, false)\r\n",
            "size": 0,
            "showAnalytics": true,
            "title": "All IP addresses events with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "There are no Network Rule logs within the selected workspaces. If you believe the selection is correct, confirm Network Rule logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "ActionsByTimeBrush",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "rowLimit": 2000,
              "filter": true
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFNetRule"
          },
          "name": "query - 22"
        },
        {
          "type": 1,
          "content": {
            "json": "# Azure Firewall -DNS Proxy"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "text - 41"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\r\n| project Resource, TimeGenerated\r\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})\r\n",
            "size": 0,
            "title": "DNSProxy Traffic by count per Firewall: Query Time({$queryTime}) ",
            "noDataMessage": "There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "timeBrushParameterName": "DNSTimeBrush",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "linechart",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "query - 30 - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\r\n| project-away msg_s\r\n| summarize count() by Request_Name\r\n| sort by count_ desc",
            "size": 0,
            "title": "DNSProxy count by Request Name, filterable by Request_Name",
            "noDataMessage": "There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "DNSTimeBrush",
            "exportFieldName": "Request_Name",
            "exportParameterName": "DNSRequestName",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "query - 30 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\r\n| project-away msg_s\r\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \"*\"\r\n| summarize count() by ClientIP\r\n| sort by count_ desc",
            "size": 0,
            "title": "DNSProxy Request count by ClientIP, filterable by ClientIP",
            "noDataMessage": "There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "DNSTimeBrush",
            "exportFieldName": "ClientIP",
            "exportParameterName": "DNSClientIP",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ]
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "query - 30 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\r\n| project-away msg_s\r\n| where '{DNSClientIP}' == ClientIP or '{DNSClientIP}' == \"*\"\r\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \"*\"\r\n| summarize count() by ClientIP, bin(TimeGenerated, {TimeRange:grain})\r\n",
            "size": 0,
            "title": "DNS Proxy Request over time by ClientIP",
            "noDataMessage": "There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "DNSTimeBrush",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "linechart"
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "query - 30 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\r\n| project-away msg_s\r\n| where '{DNSClientIP}' == ClientIP or '{DNSClientIP}' == \"*\"\r\n| where '{DNSRequestName}' == Request_Name or '{DNSRequestName}' == \"*\"\r\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId",
            "size": 0,
            "showAnalytics": true,
            "title": "DNS Proxy Information: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "There are no DNS Proxy logs within the selected workspaces. If you believe the selection is correct, confirm DNS Proxy logs are enabled for the Azure Firewall and feeding into this selected workspace. Reference Docs: https://docs.microsoft.com/en-us/azure/firewall/",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "DNSTimeBrush",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "rowLimit": 2000,
              "filter": true
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFDNSProxy"
          },
          "name": "query - 30"
        },
        {
          "type": 1,
          "content": {
            "json": "# Azure Firewall Premium - IDPS"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "text - 42"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| summarize count() by Action",
            "size": 2,
            "title": "IDPS Actions Count, filterable by Action",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "noDataMessageStyle": 2,
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "IDSIPSAction",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 44"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| summarize count() by Protocol",
            "size": 2,
            "title": "IDPS Protocol Count, filterable by Protocol",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "IDSIPSProtocol",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| summarize count() by SignatureID\r\n",
            "size": 2,
            "title": "IDPS SignatureID Count, filterable by SignatureID",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "IDSIPSSignatureID",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart"
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| summarize count() by SourceIP, DestIP\r\n| sort by count_ desc",
            "size": 2,
            "title": "IDPS SourceIP Count, filterable by SourceIP",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "series",
            "exportParameterName": "IDSIPSSourceIP",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "piechart",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "SourceIP",
                  "formatter": 5
                }
              ],
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "SourceIP"
                ],
                "expandTopLevel": false
              }
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| summarize count() by Action",
            "size": 0,
            "title": "Filtered IDPS Actions by Count",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  }
                }
              ]
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 44 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| summarize count() by Protocol",
            "size": 0,
            "title": "Filtered IDPS Protocols by Count",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  }
                }
              ]
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n//| project-away Category, ResourceId, msg_s, SubscriptionId, ResourceProvider, ResourceType, OperationName, Type\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| summarize count() by SignatureID",
            "size": 0,
            "title": "Filtered IDPS SignatureIDs by Count",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  }
                }
              ]
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| summarize Volume=count() by DestIP, SourceIP\r\n| sort by Volume desc",
            "size": 0,
            "title": "Filtered SourceIP, filterable by DestIP",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "DestIP",
            "exportParameterName": "IDSIPSDestIP",
            "exportDefaultValue": "*",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "table",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "SourceIP",
                  "formatter": 5
                },
                {
                  "columnMatch": "Volume",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  }
                }
              ],
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "SourceIP"
                ],
                "expandTopLevel": false
              }
            },
            "tileSettings": {
              "showBorder": false,
              "titleContent": {
                "columnMatch": "SourceIP",
                "formatter": 1
              },
              "leftContent": {
                "columnMatch": "Volume",
                "formatter": 12,
                "formatOptions": {
                  "palette": "auto"
                },
                "numberFormat": {
                  "unit": 17,
                  "options": {
                    "maximumSignificantDigits": 3,
                    "maximumFractionDigits": 2
                  }
                }
              }
            },
            "graphSettings": {
              "type": 0,
              "topContent": {
                "columnMatch": "SourceIP",
                "formatter": 1
              },
              "centerContent": {
                "columnMatch": "Volume",
                "formatter": 1,
                "numberFormat": {
                  "unit": 17,
                  "options": {
                    "maximumSignificantDigits": 3,
                    "maximumFractionDigits": 2
                  }
                }
              }
            }
          },
          "customWidth": "25",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy - Copy - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, SignatureID, Message, Resource\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| where '{IDSIPSDestIP}' == DestIP or '{IDSIPSDestIP}' == \"*\"\r\n| summarize count() by Resource, bin(TimeGenerated,{TimeRange:grain})",
            "size": 0,
            "title": "Azure Firewall IDPS count over time",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "timeBrushParameterName": "AFIDSIPSBrush",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "visualization": "timechart",
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "SourceIP",
                  "formatter": 5
                }
              ],
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "SourceIP"
                ],
                "expandTopLevel": false
              }
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin\r\nlet geoData = externaldata\r\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\r\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\r\n[@\"{GeoLocation}\"] with (ignoreFirstRecord=true, format=\"csv\");\r\nAzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| project TimeGenerated, SignatureID, Message, Priority, Classification, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, Resource\r\n| where '{IDSIPSAction}' == Action or '{IDSIPSAction}' == \"*\"\r\n| where '{IDSIPSProtocol}' == Protocol or '{IDSIPSProtocol}' == \"*\"\r\n| where '{IDSIPSSignatureID}' == SignatureID or '{IDSIPSSignatureID}' == \"*\"\r\n| where '{IDSIPSSourceIP}' == SourceIP or '{IDSIPSSourceIP}' == \"*\"\r\n| where '{IDSIPSDestIP}' == DestIP or '{IDSIPSDestIP}' == \"*\"\r\n| evaluate ipv4_lookup (geoData, DestIP,  network, false)",
            "size": 0,
            "showAnalytics": true,
            "title": "Azure Firewall IDPS logs with GeoLocation: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "This feature is in Azure Firewall Premium; For more information go to https://docs.microsoft.com/en-us/azure/firewall/premium-features",
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "AFIDSIPSBrush",
            "timeBrushParameterName": "AFIDSIPSBrush",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "Message",
                  "country_name"
                ],
                "expandTopLevel": true
              }
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFIDSIPS"
          },
          "name": "query - 45 - Copy"
        },
        {
          "type": 1,
          "content": {
            "json": "# Azure Firewall - Investigation"
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "text - 43"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \"TLS extension was missing\"\r\n        and msg_s !has \"No rule matched\"\r\n        and msg_s !has \". Policy: \"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    ),\r\n    (\r\n    materializedData\r\n    | where msg_s !has \"Web Category:\"\r\n        and msg_s !has \". Url\"\r\n        and msg_s !has \" Reason: \"\r\n    | where msg_s has \"Rule Collection Group\"\r\n    | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n    )\r\n| summarize count() by FQDN, Action\r\n| sort by count_ desc",
            "size": 0,
            "title": "FQDN Traffic by Count, filterable by FQDN: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportFieldName": "FQDN",
            "exportParameterName": "FullName",
            "exportDefaultValue": "*",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "FQDN",
                  "formatter": 5
                },
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "minimumIntegerDigits": 1,
                      "maximumFractionDigits": 1,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ],
              "rowLimit": 2000,
              "filter": true,
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "FQDN"
                ],
                "expandTopLevel": true
              }
            }
          },
          "customWidth": "35",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 29 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy:\" Policy \". Rule Collection Group:\" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where SourceIP <> \"\"\r\n| where FQDN == \"{FullName:label}\" or '{FullName}' == \"*\"\r\n| summarize count() by SourceIP, SubscriptionId\r\n| sort by count_",
            "size": 0,
            "title": "SourceIP Address, filterable: Query Time({$queryTime})",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "exportedParameters": [
              {
                "fieldName": "SourceIP",
                "parameterName": "InvestigateIP",
                "parameterType": 1,
                "defaultValue": "privateIPAddress"
              },
              {
                "fieldName": "SourceIP",
                "parameterName": "InvestigateIPWC",
                "parameterType": 1,
                "defaultValue": "*"
              },
              {
                "fieldName": "SubscriptionId",
                "parameterName": "SelectedSubscriptionId",
                "parameterType": 1,
                "defaultValue": "-"
              }
            ],
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "SubscriptionId",
                  "formatter": 5
                },
                {
                  "columnMatch": "count_",
                  "formatter": 8,
                  "formatOptions": {
                    "palette": "whiteBlack"
                  },
                  "numberFormat": {
                    "unit": 17,
                    "options": {
                      "style": "decimal",
                      "useGrouping": false,
                      "maximumSignificantDigits": 4
                    }
                  }
                }
              ],
              "filter": true
            },
            "tileSettings": {
              "titleContent": {
                "columnMatch": "SourceIP",
                "formatter": 4,
                "formatOptions": {
                  "palette": "orange"
                },
                "numberFormat": {
                  "unit": 0,
                  "options": {
                    "style": "decimal",
                    "useGrouping": false
                  }
                }
              },
              "showBorder": true,
              "size": "auto"
            }
          },
          "customWidth": "15",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 33"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "Resources\r\n| where type =~ 'microsoft.network/networkinterfaces'\r\n| where properties contains \"{InvestigateIP}\"\r\n| extend NSG = properties['networkSecurityGroup']['id']\r\n| parse NSG with \"/subscriptions/\" NetworkSecurityGroup_Sub \"/resourceGroups/\" NetworkSecurityGroup_rg \"/providers/Microsoft.Network/networkSecurityGroups/\" NetworkSecurityGroup_Name\r\n| project id, PrivateIPAddress = tostring(properties['ipConfigurations'][0]['properties']['privateIPAddress']),  PublicIPAddress = tostring(properties['ipConfigurations'][0]['properties']['publicIPAddress']['id']), VirtualMachine = tostring(properties['virtualMachine']['id']), subnet = tostring(properties['ipConfigurations'][0]['properties']['subnet']['id']), NetworkSecurityGroup = NetworkSecurityGroup_Name, properties, subscriptionId, tenantId",
            "size": 0,
            "title": "SourceIPAddress Resource Lookup: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "exportFieldName": "id",
            "exportParameterName": "Testid",
            "exportDefaultValue": "*",
            "queryType": 1,
            "resourceType": "microsoft.resourcegraph/resources",
            "crossComponentResources": [
              "value::selected"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "properties",
                  "formatter": 5
                }
              ],
              "filter": true
            },
            "tileSettings": {
              "titleContent": {
                "columnMatch": "SourceIP",
                "formatter": 4,
                "formatOptions": {
                  "palette": "orange"
                },
                "numberFormat": {
                  "unit": 0,
                  "options": {
                    "style": "decimal",
                    "useGrouping": false
                  }
                }
              },
              "showBorder": true,
              "size": "auto"
            }
          },
          "customWidth": "50",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 33 - Copy"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| project ResourceId,ResourceGroup,SubscriptionId, msg_s, Resource, TimeGenerated);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url:\" Url \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and msg_s !has \". Url\" and msg_s has \". No rule matched\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". No rule matched\" *\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s has \"Web Category:\" and msg_s !has \". Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection:\" RuleCollection \". Rule:\" Rule \". Web Category:\" WebCategory\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \" Reason: \"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". \" RuleCollection \". \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \"Rule Collection\" and msg_s !has \"TLS extension was missing\"\r\n| where msg_s has \" Reason:\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \". Action: \" Action \". Reason: \" Rule \".\"\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has  \"TLS extension was missing\" and msg_s !has \"No rule matched\" and msg_s !has \"Rule Collection\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Web Category:\" and  msg_s !has \". Url\" and msg_s !has \" Reason: \"\r\n| where msg_s has \"Rule Collection Group\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n)\r\n| where SourceIP == \"{InvestigateIPWC:label}\" or '{InvestigateIPWC}' == \"*\"\r\n| where FQDN == \"{FullName:label}\" or '{FullName}' == \"*\"\r\n| summarize by TimeGenerated, FQDN, Protocol, Action, SourceIP, SourcePort, DestinationPort , ResourceId , ResourceGroup , RuleCollection, Rule, WebCategory, SubscriptionId\r\n\r\n\r\n",
            "size": 0,
            "title": "FQDN Lookup logs: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "rowLimit": 2000,
              "filter": true
            }
          },
          "customWidth": "100",
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 33"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "let materializedData =\r\nmaterialize(\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\"\r\n| where OperationName == \"AzureFirewallThreatIntelLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where msg_s contains \"{InvestigateIPWC:label}\" or '{InvestigateIPWC}' == \"*\"\r\n| where msg_s <> \" request from  to . Action: . ThreatIntel: \"\r\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\r\nunion\r\n(\r\nmaterializedData\r\n| where msg_s has \"Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Url: \" Url \". Action: \" Action \". ThreatIntel: \" ThreatIntelMsg\r\n),\r\n(\r\nmaterializedData\r\n| where msg_s !has \"Url\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" FQDN \":\" DestinationPort \". Action: \" Action \". ThreatIntel: \" ThreatIntelMsg\r\n)\r\n| summarize by TimeGenerated, Protocol, SourceIP, SourcePort, FQDN, DestinationPort, Url, Action, ThreatIntelMsg",
            "size": 0,
            "title": "Azure Firewall Threat Intel: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "noDataMessage": "There is no Azure Firewall Threat Intel for your filtered results",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "showExportToExcel": true,
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "rowLimit": 2000,
              "filter": true
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 29"
        },
        {
          "type": 3,
          "content": {
            "version": "KqlItem/1.0",
            "query": "//reference list posted here : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin\r\nlet geoData = externaldata\r\n(network:string,geoname_id:string,continent_code:string,continent_name:string,\r\ncountry_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)\r\n[@\"{GeoLocation}\"] with (ignoreFirstRecord=true, format=\"csv\");\r\nAzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| where OperationName == \"AzureFirewallIDSLog\"\r\n| where Resource in~ (split(\"{Resource:label}\", \", \"))\r\n| where msg_s contains \"{InvestigateIPWC:label}\" or '{InvestigateIPWC}' == \"*\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort \" to \" DestIP \":\" DestPort \". Action: \" Action \". Signature: \" SignatureID \". IDS:\" Message \". Priority:\" Priority \". Classification:\" Classification\r\n| summarize by TimeGenerated, SignatureID, Message, Priority, Classification, Protocol, SourceIP, SourcePort, DestIP, DestPort, Action, Resource\r\n| evaluate ipv4_lookup (geoData, DestIP,  network, false)\r\n",
            "size": 0,
            "title": "Azure Firewall Premium with GeoLocation- IDPS: Query Time({$queryTime}) : Total Rows({$rowCount})",
            "timeContext": {
              "durationMs": 86400000
            },
            "timeContextFromParameter": "TimeRange",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "crossComponentResources": [
              "{Workspaces}"
            ],
            "gridSettings": {
              "formatters": [
                {
                  "columnMatch": "$gen_group",
                  "formatter": 0,
                  "formatOptions": {
                    "customColumnWidthSetting": "60ch"
                  }
                },
                {
                  "columnMatch": "Message",
                  "formatter": 5
                },
                {
                  "columnMatch": "country_name",
                  "formatter": 5
                },
                {
                  "columnMatch": "$gen_group",
                  "formatter": 0,
                  "formatOptions": {
                    "customColumnWidthSetting": "60ch"
                  }
                }
              ],
              "hierarchySettings": {
                "treeType": 1,
                "groupBy": [
                  "Message",
                  "country_name"
                ],
                "expandTopLevel": true
              }
            }
          },
          "conditionalVisibility": {
            "parameterName": "selectedTab",
            "comparison": "isEqualTo",
            "value": "AFInvestigate"
          },
          "name": "query - 58"
        }
      ],
      "isLocked": false,
      "fallbackResourceIds": [
        "Azure Monitor"
      ],
      "fromTemplateId": "sentinel-UserWorkbook"
    }
  },
  "resources": [
    {
      "name": "[parameters('workbookId')]",
      "type": "microsoft.insights/workbooks",
      "location": "[resourceGroup().location]",
      "apiVersion": "2021-03-08",
      "dependsOn": [],
      "kind": "shared",
      "properties": {
        "displayName": "[parameters('workbookDisplayName')]",
        "serializedData": "[string(variables('workbookContent'))]",
        "version": "1.0",
        "sourceId": "[variables('workbookSourceId')]",
        "category": "[parameters('workbookType')]"
      }
    }
  ],
  "outputs": {
    "workbookId": {
      "type": "string",
      "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]"
    }
  },
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
}