question

Deepaklal-FT avatar image
0 Votes"
Deepaklal-FT asked tbgangav-MSFT edited

Is there a provision to find the Application and network rules added in Azure firewall in last XX days/hours

Is there a provision to find the Application and network rules added in Azure firewall in last XX days/hours.

Any changes in Rules (edit/delete/addition) need to be monitored using this. If Its a KQL hope I can take it to my workbook.

azure-monitorazure-firewallfasttrack-azure-startup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShaikMaheer-MSFT avatar image
0 Votes"
ShaikMaheer-MSFT answered

Hi @Deepaklal-FT ,

Regarding follow up query, I investigated in to Logs of log analytics and observed how these logs are getting captured. Please check below findings.

When ever we add or edit or delete rule and save settings, then behind the scenes an API request is getting send with request body. In that request body we will only have rules which will be live after save and then they get recreated or updated.

To elaborate more, kindly check below example, lets say I have one rule already called Allow-DNS. Now I added another rule called demorule. So in that case a request body will be sent with both rule names in it as below. That means, here Allow-DNS is getting recreated or updated on demorule getting create.

201761-image.png

now, lets say I deleted demorule from above two rules. In this case request body will be sent with Allow-DNS rule name. That means logs will only contain Allow-DNS info in request body to convey to service that only have this rule. Please check below request body.
201726-image.png

Hence, there is no direct way to find exactly what rule is deleted or what rule is updated. We can always get what rules are currently live and other details.

If we really want to get exactly what rules deleted or created or updated. Then kindly check below work-around option which came to my mind. Consider having some config table in SQL or any other storage and load that table with info a live rules and then in periodic fashion from log analytics get the present live rules info and cross compare with data in that configuration table and take a call which rule created or which rule deleted.


From log analytics AzureActivity log table will get the above information. Try to query data where OperationName column value is Creates or updates an Azure Firewall or OperationNameValue column value is Microsoft.Network/azureFirewalls/write.

Below are few important columns which will useful for you to query data from log analytics as per needs.

201728-image.png

Hope this helps. Please let us know if any queries.


Please consider hitting Accept Answer button. Accepted answers help community as well.


image.png (458.0 KiB)
image.png (323.2 KiB)
image.png (416.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShaikMaheer-MSFT avatar image
0 Votes"
ShaikMaheer-MSFT answered Deepaklal-FT commented

Hi @Deepaklal-FT ,

Thank you for posting query in Microsoft Q&A Platform.

We can consider enabling Diagnostic settings to log all the information in to Log Analytics work space. Once data gets logged in to Log Analytics work space tables we can write Kusto queries there to query same.

201714-image.png

We can use check under activity logs. But retention period would be around 90 days. Hence enabling Diagnostic settings will help to query old data as well.

Check below links which will helpful to understand Activity logs.

Hope this helps. Please let us know if any further queries.


Please consider hitting Accept Answer button. Accepted answers help community as well. Thank you.


image.png (216.5 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ShaikMaheer-MSFT , Thanks for you answer. I started collecting logs to log analytic workspace. But KQL to collect newly added rules is not getting the result.

0 Votes 0 ·

Thanks for replying back @Deepaklal-FT. Diagnostic logs take some time to ingest. Should be available in 30 mins or so.

However you can run the below query on AzureActivity to get the details. This is also explained with screenshots in 2nd answer below:

 AzureActivity 
 | where OperationNameValue == 'MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE'


0 Votes 0 ·

Hi,

This will give the whole list of existing rules. I am trying to fetch the edited/added/removed rule alone. Unable to PARSE single rule which is modified

0 Votes 0 ·

Hi @AnuragSharma-MSFT ,

This will give the whole list of existing rules. I am trying to fetch the edited/added/removed rule alone. Unable to PARSE single rule which is modified

0 Votes 0 ·
AnuragSharma-08 avatar image
0 Votes"
AnuragSharma-08 answered DharshiniKa-FT commented

Hi @Deepaklal-FT, welcome to Microsoft Q&A forum.

As I understand you would like to know if any new Application or network rules are added or changed in Azure Firewall.

Yes this is possible to know through 2 ways:

  1. Firstly we can use the activity logs as highlighted in the below screenshots shown:

201722-image.png

Then checking the JSON or change history:

201638-image.png

2) Another way is to use logs under monitoring. Please check the properties column:

201693-image.png

Here we can also configure the alerts.

Please let us know if this helps or else we can discuss further.



image.png (68.6 KiB)
image.png (151.6 KiB)
image.png (108.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AnuragSharma-MSFT thanks for your quick response, We are looking for only if there are any rules added/deleted/edited in firewall.

Above scripts giving the whole data, I would like to know if any new Application rules or network rules are added/removed/edited in Azure Firewall.For example if we are adding the URL that is www.google.com in network rule. In output we have to see like, this is the URL(www.google.com) which is added in network rule by caller with timestamp.

0 Votes 0 ·