Skip to content

Instantly share code, notes, and snippets.

@davidsantiago-bib

davidsantiago-bib/gist:39299eb2501748f280459a54e38e513d

Created Jun 22, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
gistfile1.txt
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure - Network Insights\n* This dashboard reserved to **Cloud Platform only** is plugged on several Log Analytics Workspace (...).\n* Raw data has been enriched using **Traffic Analytics**.\n",
"style": "info"
},
"name": "text - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "0307c55e-e656-442e-8b67-2c7159628216",
"version": "KqlParameterItem/1.0",
"name": "nsgName",
"label": "NSG",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| distinct NSGList_s\n| project split(NSGList_s, \"/\")[2]\n",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 43200000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "d23fdd2c-7752-443d-9a9d-3b8a3da3a348",
"version": "KqlParameterItem/1.0",
"name": "nsgRule",
"label": "NSG Rule",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| project NSGRule_s\n| distinct NSGRule_s\n\n",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
"version": "KqlParameterItem/1.0",
"name": "srcIp",
"label": "Source IP",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where NSGRule_s in ({nsgRule})\n| project SrcIP_s\n| distinct SrcIP_s",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
"version": "KqlParameterItem/1.0",
"name": "destPort",
"label": "Destination Port",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where NSGRule_s in ({nsgRule})\n| where SrcIP_s in ({srcIp})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| project DestPort_d\n| distinct DestPort_d\n",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "ab0d2979-bb74-4a2a-bf33-25abb29f654d",
"version": "KqlParameterItem/1.0",
"name": "destIp",
"label": "Destination IP",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where SrcIP_s in ({srcIp})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| where DestPort_d in ({destPort})\n| project DestIP_s\n| distinct DestIP_s\n",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where SrcIP_s in ({srcIp})\n| where DestPort_d in ({destPort})\n| where DestIP_s in ({destIp})\n| where NSGRule_s in ({nsgRule})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| extend SourceAzureVM = iif(isnotempty(VM1_s), split(VM1_s, \"/\")[1], \"N/A\"),\nSourceAzureVMIP = iif(isnotempty(SrcIP_s), SrcIP_s, \"N/A\"),\nDestAzureVM = iif(isnotempty(VM2_s), split(VM2_s, \"/\")[1], \"N/A\"),\nDestAzureVMIP = iif(isnotempty(DestIP_s), DestIP_s, \"N/A\"),\nSourcePublicIPsAggregated = iif(isnotempty(SrcPublicIPs_s), SrcPublicIPs_s, \"N/A\"),\nDestPublicIPsAggregated = iif(isnotempty(DestPublicIPs_s), DestPublicIPs_s, \"N/A\")\n| extend SourcePublicIPsAggregated=replace(@\"\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\", \"\", SourcePublicIPsAggregated)\n| extend DestPublicIPsAggregated=replace(@\"\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\", \"\", DestPublicIPsAggregated)\n| extend FlowDirection_s=replace(\"O\", \"Outbound\", FlowDirection_s)\n| extend FlowDirection_s=replace(\"I\", \"Inbound\", FlowDirection_s)\n| extend L4Protocol_s=replace(\"U\", \"UDP\", L4Protocol_s)\n| extend L4Protocol_s=replace(\"T\", \"TCP\", L4Protocol_s)\n| extend NSG=split(NSGList_s, \"/\")[2]\n| project TimeGenerated, FlowDirection_s, SourceAzureVM, SourceAzureVMIP, SourcePublicIPsAggregated, DestAzureVM, DestAzureVMIP, DestPublicIPsAggregated, L4Protocol_s, L7Protocol_s, DestPort_d, NSG, NSGRule_s, FlowType_s, AllowedOutFlows_d, DeniedOutFlows_d, OutboundBytes_d, InboundBytes_d, OutboundPackets_d, InboundPackets_d, FlowStartTime_t, FlowEndTime_t",
"size": 2,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"name": "query - 0"
}
],
"defaultResourceIds": [
// PUT HERE RESOURCE ID(s) of Log Analytics Workspace
"Azure Monitor"
],
"fallbackResourceIds": [
// PUT HERE RESOURCE ID(s) of Log Analytics Workspace
"Azure Monitor"
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment