[Azure Sentinel] Alert from Firewall NAT Rule

VolginRnB 256 Reputation points
2021-07-07T13:22:54.083+00:00

Hello Guys,

I would like to monitor Azure Firewall NAT Rules using Azure Sentinel/Log Analytics Workspace, but I have no clue how to send this logs to my Log Analytics Workspace.

For example the rule below allows connection from any IP (*) to access my envonriment, how can I monitor what others rules allow this ?

112601-image.png

I tried to use "Diagnostic Settings" but I couldn't get this logs, so I think "Diagnostic Settings" is not the best way, maybe I can create a custom definition policy for monitor this ? Someone can help me please ?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,783 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
563 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
788 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
{count} votes

1 answer

Sort by: Most helpful
  1. bharathn-msft 5,086 Reputation points Microsoft Employee
    2021-08-04T04:04:13.427+00:00

    << Resurfacing the information from comments here for broader community usage>>

    @VolginRnB - Currently below are service-specific logs which are available via diagnostic logging for Azure Firewall. Please review here for additional details.

    • AzureFirewallApplicationRule
    • AzureFirewallNetworkRule
    • AzureFirewallDnsProxy

    However for your requirement to alert on specific NAT rule collection , I don't think we have out of box ingestion to Log analytics and probably a custom solution of getting the firewall NAT rule collection and ingesting into Log Analytics workspace and then alerting on top of it, should help.

    You can leverage get-azfirewallpolicyrulecollectiongroup to get the rule collection , below snippet might help you to scope it down to the source you are looking for.

    $ruleCollection = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName MyfirewallPolicy -Name DefaultNetworkRuleCollectionGroup -ResourceGroupName Networking-Resources  
    $ruleCollection[0].Properties.RuleCollection.RulesText | select-string -SimpleMatch "*"  
    

    Hope the above information helps. Please revert back if you have any further queries.

    0 comments No comments