[Azure Sentinel] Alert from Firewall NAT Rule

Question

Hello Guys,

I would like to monitor Azure Firewall NAT Rules using Azure Sentinel/Log Analytics Workspace, but I have no clue how to send this logs to my Log Analytics Workspace.

For example the rule below allows connection from any IP (*) to access my envonriment, how can I monitor what others rules allow this ?

I tried to use "Diagnostic Settings" but I couldn't get this logs, so I think "Diagnostic Settings" is not the best way, maybe I can create a custom definition policy for monitor this ? Someone can help me please ?

Answer 1

<< Resurfacing the information from comments here for broader community usage>>

@VolginRnB - Currently below are service-specific logs which are available via diagnostic logging for Azure Firewall. Please review here for additional details.

• AzureFirewallApplicationRule
• AzureFirewallNetworkRule
• AzureFirewallDnsProxy

However for your requirement to alert on specific NAT rule collection , I don't think we have out of box ingestion to Log analytics and probably a custom solution of getting the firewall NAT rule collection and ingesting into Log Analytics workspace and then alerting on top of it, should help.

You can leverage get-azfirewallpolicyrulecollectiongroup to get the rule collection , below snippet might help you to scope it down to the source you are looking for.

$ruleCollection = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName MyfirewallPolicy -Name DefaultNetworkRuleCollectionGroup -ResourceGroupName Networking-Resources  
$ruleCollection[0].Properties.RuleCollection.RulesText | select-string -SimpleMatch "*"  

Hope the above information helps. Please revert back if you have any further queries.