Is there a provision to find the Application and network rules added in Azure firewall in last XX days/hours

Deepaklal-FT 66 Reputation points
2022-05-12T18:21:04.1+00:00

Is there a provision to find the Application and network rules added in Azure firewall in last XX days/hours.

Any changes in Rules (edit/delete/addition) need to be monitored using this. If Its a KQL hope I can take it to my workbook.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,782 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
561 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
111 questions
0 comments
Accepted answer
  1. ShaikMaheer-MSFT 37,656 Reputation points Microsoft Employee
    2022-05-13T10:00:04.867+00:00

    Hi @Deepaklal-FT ,

    Regarding follow up query, I investigated in to Logs of log analytics and observed how these logs are getting captured. Please check below findings.

    When ever we add or edit or delete rule and save settings, then behind the scenes an API request is getting send with request body. In that request body we will only have rules which will be live after save and then they get recreated or updated.

    To elaborate more, kindly check below example, lets say I have one rule already called Allow-DNS. Now I added another rule called demorule. So in that case a request body will be sent with both rule names in it as below. That means, here Allow-DNS is getting recreated or updated on demorule getting create.

    201761-image.png

    now, lets say I deleted demorule from above two rules. In this case request body will be sent with Allow-DNS rule name. That means logs will only contain Allow-DNS info in request body to convey to service that only have this rule. Please check below request body.
    201726-image.png

    Hence, there is no direct way to find exactly what rule is deleted or what rule is updated. We can always get what rules are currently live and other details.

    If we really want to get exactly what rules deleted or created or updated. Then kindly check below work-around option which came to my mind. Consider having some config table in SQL or any other storage and load that table with info a live rules and then in periodic fashion from log analytics get the present live rules info and cross compare with data in that configuration table and take a call which rule created or which rule deleted.

    From log analytics AzureActivity log table will get the above information. Try to query data where OperationName column value is Creates or updates an Azure Firewall or OperationNameValue column value is Microsoft.Network/azureFirewalls/write.

    Below are few important columns which will useful for you to query data from log analytics as per needs.

    201728-image.png

    Hope this helps. Please let us know if any queries.

    Please consider hitting Accept Answer button. Accepted answers help community as well.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaikMaheer-MSFT 37,656 Reputation points Microsoft Employee
    2022-05-13T07:05:29.383+00:00

    Hi @Deepaklal-FT ,

    Thank you for posting query in Microsoft Q&A Platform.

    We can consider enabling Diagnostic settings to log all the information in to Log Analytics work space. Once data gets logged in to Log Analytics work space tables we can write Kusto queries there to query same.

    201714-image.png

    We can use check under activity logs. But retention period would be around 90 days. Hence enabling Diagnostic settings will help to query old data as well.

    Check below links which will helpful to understand Activity logs.

    Hope this helps. Please let us know if any further queries.

    --------------

    Please consider hitting Accept Answer button. Accepted answers help community as well. Thank you.

  2. Anurag Sharma 17,566 Reputation points
    2022-05-13T07:12:48.017+00:00

    Hi @Deepaklal-FT , welcome to Microsoft Q&A forum.

    As I understand you would like to know if any new Application or network rules are added or changed in Azure Firewall.

    Yes this is possible to know through 2 ways:

    1. Firstly we can use the activity logs as highlighted in the below screenshots shown:

    201722-image.png

    Then checking the JSON or change history:

    201638-image.png

    2) Another way is to use logs under monitoring. Please check the properties column:

    201693-image.png

    Here we can also configure the alerts.

    Please let us know if this helps or else we can discuss further.