question

VolginRnB avatar image
0 Votes"
VolginRnB asked bharathn-msft answered

[Azure Sentinel] Alert from Firewall NAT Rule

Hello Guys,

I would like to monitor Azure Firewall NAT Rules using Azure Sentinel/Log Analytics Workspace, but I have no clue how to send this logs to my Log Analytics Workspace.

For example the rule below allows connection from any IP **() to access my envonriment, how can I monitor what others rules allow this ?*


112601-image.png

I tried to use "Diagnostic Settings" but I couldn't get this logs, so I think "Diagnostic Settings" is not the best way, maybe I can create a custom definition policy for monitor this ? Someone can help me please ?




azure-monitormicrosoft-sentinelazure-policyazure-firewall
image.png (43.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@VolginRnB Our apologies for delay on getting to this thread.

Currently below are service-specific logs which are available via diagnostic logging for Azure Firewall. Please review here for additional details.

  • AzureFirewallApplicationRule

  • AzureFirewallNetworkRule

  • AzureFirewallDnsProxy


However for your requirement to alert on specific NAT rule collection , I don't think we have out of box ingestion to Log analytics and probably a custom solution of getting the firewall NAT rule collection and ingesting into Log Analytics workspace and then alerting on top of it, should help. I am trying to test this out , will share more information as I get to it.

0 Votes 0 ·

@VolginRnB - Custom solution might be the way to go on this.

You can leverage [get-azfirewallpolicyrulecollectiongroup][1] to get the rule collection , below snippet might help you to scope it down to the source you are looking for.

 $ruleCollection = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName MyfirewallPolicy -Name DefaultNetworkRuleCollectionGroup -ResourceGroupName Networking-Resources
 $ruleCollection[0].Properties.RuleCollection.RulesText | select-string -SimpleMatch "*"
0 Votes 0 ·

1 Answer

bharathn-msft avatar image
0 Votes"
bharathn-msft answered

<< Resurfacing the information from comments here for broader community usage>>

@VolginRnB - Currently below are service-specific logs which are available via diagnostic logging for Azure Firewall. Please review here for additional details.

  • AzureFirewallApplicationRule

  • AzureFirewallNetworkRule

  • AzureFirewallDnsProxy

However for your requirement to alert on specific NAT rule collection , I don't think we have out of box ingestion to Log analytics and probably a custom solution of getting the firewall NAT rule collection and ingesting into Log Analytics workspace and then alerting on top of it, should help.

You can leverage get-azfirewallpolicyrulecollectiongroup to get the rule collection , below snippet might help you to scope it down to the source you are looking for.

 $ruleCollection = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName MyfirewallPolicy -Name DefaultNetworkRuleCollectionGroup -ResourceGroupName Networking-Resources
 $ruleCollection[0].Properties.RuleCollection.RulesText | select-string -SimpleMatch "*"

Hope the above information helps. Please revert back if you have any further queries.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.