Share via

[Azure Sentinel] Alert from Firewall NAT Rule

VolginRnB 256 Reputation points
Jul 7, 2021, 1:22 PM

Hello Guys,

I would like to monitor Azure Firewall NAT Rules using Azure Sentinel/Log Analytics Workspace, but I have no clue how to send this logs to my Log Analytics Workspace.

For example the rule below allows connection from any IP (*) to access my envonriment, how can I monitor what others rules allow this ?

112601-image.png

I tried to use "Diagnostic Settings" but I couldn't get this logs, so I think "Diagnostic Settings" is not the best way, maybe I can create a custom definition policy for monitor this ? Someone can help me please ?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,507 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
731 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
971 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,242 questions
{count} votes

1 answer

Sort by: Most helpful
  1. bharathn-msft 5,101 Reputation points Microsoft Employee
    Aug 4, 2021, 4:04 AM

    << Resurfacing the information from comments here for broader community usage>>

    @VolginRnB - Currently below are service-specific logs which are available via diagnostic logging for Azure Firewall. Please review here for additional details.

    • AzureFirewallApplicationRule
    • AzureFirewallNetworkRule
    • AzureFirewallDnsProxy

    However for your requirement to alert on specific NAT rule collection , I don't think we have out of box ingestion to Log analytics and probably a custom solution of getting the firewall NAT rule collection and ingesting into Log Analytics workspace and then alerting on top of it, should help.

    You can leverage get-azfirewallpolicyrulecollectiongroup to get the rule collection , below snippet might help you to scope it down to the source you are looking for.

    $ruleCollection = Get-AzFirewallPolicyRuleCollectionGroup -AzureFirewallPolicyName MyfirewallPolicy -Name DefaultNetworkRuleCollectionGroup -ResourceGroupName Networking-Resources  
    $ruleCollection[0].Properties.RuleCollection.RulesText | select-string -SimpleMatch "*"  
    

    Hope the above information helps. Please revert back if you have any further queries.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.