davidsantiago-bib/gist:39299eb2501748f280459a54e38e513d

## gistfile1.txt
{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 1,
      "content": {
        "json": "## Azure - Network Insights\n* This dashboard reserved to **Cloud Platform only** is plugged on several Log Analytics Workspace (...).\n* Raw data has been enriched using **Traffic Analytics**.\n",
        "style": "info"
      },
      "name": "text - 2",
      "styleSettings": {
        "showBorder": true
      }
    },
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "0307c55e-e656-442e-8b67-2c7159628216",
            "version": "KqlParameterItem/1.0",
            "name": "nsgName",
            "label": "NSG",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| distinct NSGList_s\n| project split(NSGList_s, \"/\")[2]\n",
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ]
            },
            "timeContext": {
              "durationMs": 43200000
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "value": [
              "value::all"
            ]
          },
          {
            "id": "d23fdd2c-7752-443d-9a9d-3b8a3da3a348",
            "version": "KqlParameterItem/1.0",
            "name": "nsgRule",
            "label": "NSG Rule",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| project NSGRule_s\n| distinct NSGRule_s\n\n",
            "value": [
              "value::all"
            ],
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ]
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          },
          {
            "id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
            "version": "KqlParameterItem/1.0",
            "name": "srcIp",
            "label": "Source IP",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where NSGRule_s in ({nsgRule})\n| project SrcIP_s\n| distinct SrcIP_s",
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ]
            },
            "timeContext": {
              "durationMs": 2592000000
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "value": [
              "value::all"
            ]
          },
          {
            "id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
            "version": "KqlParameterItem/1.0",
            "name": "destPort",
            "label": "Destination Port",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where NSGRule_s in ({nsgRule})\n| where SrcIP_s in ({srcIp})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| project DestPort_d\n| distinct DestPort_d\n",
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ]
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "value": [
              "value::all"
            ]
          },
          {
            "id": "ab0d2979-bb74-4a2a-bf33-25abb29f654d",
            "version": "KqlParameterItem/1.0",
            "name": "destIp",
            "label": "Destination IP",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where SrcIP_s in ({srcIp})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| where DestPort_d in ({destPort})\n| project DestIP_s\n| distinct DestIP_s\n",
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ]
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces",
            "value": null
          }
        ],
        "style": "above",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 1"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "AzureNetworkAnalytics_CL\n| where SubType_s == 'FlowLog' \n| where SrcIP_s in ({srcIp})\n| where DestPort_d in ({destPort})\n| where DestIP_s in ({destIp})\n| where NSGRule_s in ({nsgRule})\n| where split(NSGList_s, \"/\")[2] in ({nsgName})\n| extend SourceAzureVM = iif(isnotempty(VM1_s), split(VM1_s, \"/\")[1], \"N/A\"),\nSourceAzureVMIP = iif(isnotempty(SrcIP_s), SrcIP_s, \"N/A\"),\nDestAzureVM = iif(isnotempty(VM2_s), split(VM2_s, \"/\")[1], \"N/A\"),\nDestAzureVMIP = iif(isnotempty(DestIP_s), DestIP_s, \"N/A\"),\nSourcePublicIPsAggregated = iif(isnotempty(SrcPublicIPs_s), SrcPublicIPs_s, \"N/A\"),\nDestPublicIPsAggregated = iif(isnotempty(DestPublicIPs_s), DestPublicIPs_s, \"N/A\")\n| extend SourcePublicIPsAggregated=replace(@\"\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\", \"\", SourcePublicIPsAggregated)\n| extend DestPublicIPsAggregated=replace(@\"\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\", \"\", DestPublicIPsAggregated)\n| extend FlowDirection_s=replace(\"O\", \"Outbound\", FlowDirection_s)\n| extend FlowDirection_s=replace(\"I\", \"Inbound\", FlowDirection_s)\n| extend L4Protocol_s=replace(\"U\", \"UDP\", L4Protocol_s)\n| extend L4Protocol_s=replace(\"T\", \"TCP\", L4Protocol_s)\n| extend NSG=split(NSGList_s, \"/\")[2]\n| project TimeGenerated, FlowDirection_s, SourceAzureVM, SourceAzureVMIP, SourcePublicIPsAggregated, DestAzureVM, DestAzureVMIP, DestPublicIPsAggregated, L4Protocol_s, L7Protocol_s, DestPort_d, NSG, NSGRule_s, FlowType_s, AllowedOutFlows_d, DeniedOutFlows_d, OutboundBytes_d, InboundBytes_d, OutboundPackets_d, InboundPackets_d, FlowStartTime_t, FlowEndTime_t",
        "size": 2,
        "exportToExcelOptions": "all",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "gridSettings": {
          "rowLimit": 1000,
          "filter": true
        }
      },
      "name": "query - 0"
    }
  ],
  "defaultResourceIds": [
    // PUT HERE RESOURCE ID(s) of Log Analytics Workspace
    "Azure Monitor"
  ],
  "fallbackResourceIds": [
    // PUT HERE RESOURCE ID(s) of Log Analytics Workspace
    "Azure Monitor"
  ],
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
	{
	"version": "Notebook/1.0",
	"items": [
	{
	"type": 1,
	"content": {
	"json": "## Azure - Network Insights\n* This dashboard reserved to Cloud Platform only is plugged on several Log Analytics Workspace (...).\n* Raw data has been enriched using Traffic Analytics.\n",
	"style": "info"
	},
	"name": "text - 2",
	"styleSettings": {
	"showBorder": true
	}
	},
	{
	"type": 9,
	"content": {
	"version": "KqlParameterItem/1.0",
	"parameters": [
	{
	"id": "0307c55e-e656-442e-8b67-2c7159628216",
	"version": "KqlParameterItem/1.0",
	"name": "nsgName",
	"label": "NSG",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| distinct NSGList_s\n\| project split(NSGList_s, \"/\")[2]\n",
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	]
	},
	"timeContext": {
	"durationMs": 43200000
	},
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"value": [
	"value::all"
	]
	},
	{
	"id": "d23fdd2c-7752-443d-9a9d-3b8a3da3a348",
	"version": "KqlParameterItem/1.0",
	"name": "nsgRule",
	"label": "NSG Rule",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| where split(NSGList_s, \"/\")[2] in ({nsgName})\n\| project NSGRule_s\n\| distinct NSGRule_s\n\n",
	"value": [
	"value::all"
	],
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	]
	},
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces"
	},
	{
	"id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
	"version": "KqlParameterItem/1.0",
	"name": "srcIp",
	"label": "Source IP",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| where NSGRule_s in ({nsgRule})\n\| project SrcIP_s\n\| distinct SrcIP_s",
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	]
	},
	"timeContext": {
	"durationMs": 2592000000
	},
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"value": [
	"value::all"
	]
	},
	{
	"id": "e8cbf9fe-3694-4e0f-a91c-73460bd2192a",
	"version": "KqlParameterItem/1.0",
	"name": "destPort",
	"label": "Destination Port",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| where NSGRule_s in ({nsgRule})\n\| where SrcIP_s in ({srcIp})\n\| where split(NSGList_s, \"/\")[2] in ({nsgName})\n\| project DestPort_d\n\| distinct DestPort_d\n",
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	]
	},
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"value": [
	"value::all"
	]
	},
	{
	"id": "ab0d2979-bb74-4a2a-bf33-25abb29f654d",
	"version": "KqlParameterItem/1.0",
	"name": "destIp",
	"label": "Destination IP",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| where SrcIP_s in ({srcIp})\n\| where split(NSGList_s, \"/\")[2] in ({nsgName})\n\| where DestPort_d in ({destPort})\n\| project DestIP_s\n\| distinct DestIP_s\n",
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	]
	},
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"value": null
	}
	],
	"style": "above",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces"
	},
	"name": "parameters - 1"
	},
	{
	"type": 3,
	"content": {
	"version": "KqlItem/1.0",
	"query": "AzureNetworkAnalytics_CL\n\| where SubType_s == 'FlowLog' \n\| where SrcIP_s in ({srcIp})\n\| where DestPort_d in ({destPort})\n\| where DestIP_s in ({destIp})\n\| where NSGRule_s in ({nsgRule})\n\| where split(NSGList_s, \"/\")[2] in ({nsgName})\n\| extend SourceAzureVM = iif(isnotempty(VM1_s), split(VM1_s, \"/\")[1], \"N/A\"),\nSourceAzureVMIP = iif(isnotempty(SrcIP_s), SrcIP_s, \"N/A\"),\nDestAzureVM = iif(isnotempty(VM2_s), split(VM2_s, \"/\")[1], \"N/A\"),\nDestAzureVMIP = iif(isnotempty(DestIP_s), DestIP_s, \"N/A\"),\nSourcePublicIPsAggregated = iif(isnotempty(SrcPublicIPs_s), SrcPublicIPs_s, \"N/A\"),\nDestPublicIPsAggregated = iif(isnotempty(DestPublicIPs_s), DestPublicIPs_s, \"N/A\")\n\| extend SourcePublicIPsAggregated=replace(@\"\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\", \"\", SourcePublicIPsAggregated)\n\| extend DestPublicIPsAggregated=replace(@\"\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\\\|(\\d+)\", \"\", DestPublicIPsAggregated)\n\| extend FlowDirection_s=replace(\"O\", \"Outbound\", FlowDirection_s)\n\| extend FlowDirection_s=replace(\"I\", \"Inbound\", FlowDirection_s)\n\| extend L4Protocol_s=replace(\"U\", \"UDP\", L4Protocol_s)\n\| extend L4Protocol_s=replace(\"T\", \"TCP\", L4Protocol_s)\n\| extend NSG=split(NSGList_s, \"/\")[2]\n\| project TimeGenerated, FlowDirection_s, SourceAzureVM, SourceAzureVMIP, SourcePublicIPsAggregated, DestAzureVM, DestAzureVMIP, DestPublicIPsAggregated, L4Protocol_s, L7Protocol_s, DestPort_d, NSG, NSGRule_s, FlowType_s, AllowedOutFlows_d, DeniedOutFlows_d, OutboundBytes_d, InboundBytes_d, OutboundPackets_d, InboundPackets_d, FlowStartTime_t, FlowEndTime_t",
	"size": 2,
	"exportToExcelOptions": "all",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"gridSettings": {
	"rowLimit": 1000,
	"filter": true
	}
	},
	"name": "query - 0"
	}
	],
	"defaultResourceIds": [
	// PUT HERE RESOURCE ID(s) of Log Analytics Workspace
	"Azure Monitor"
	],
	"fallbackResourceIds": [
	// PUT HERE RESOURCE ID(s) of Log Analytics Workspace
	"Azure Monitor"
	],
	"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
	}