Koos Goossens TheCloudScout
TheCloudScout
/ sentinel-arm-dynamic-sku
Created
February 2, 2022 08:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "resources": [ | |
| { | |
| "type": "microsoft.operationalinsights/workspaces", | |
| "apiVersion": "2021-06-01", | |
| "name": "[parameters('logAnalyticsName')]", | |
| "location": "[parameters('location')]", | |
| "properties": { | |
| "sku": "[variables('sku')]", | |
| "retentionInDays": "[parameters('retentionInDays')]", | |
| "workspaceCapping": { |
TheCloudScout
/ sentinel-arm-dynamic-variables
Last active
February 2, 2022 15:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "variables": { | |
| "sku": "[ | |
| if( | |
| equals(toLower(parameters('pricingTier')), 'capacityreservation'), | |
| json(concat('{\"name\":\"', parameters('pricingTier'), '\",\"capacityReservationLevel\":', parameters('loganalyticsCapacityReservationLevel'), '}')), | |
| json(concat('{\"name\":\"', parameters('pricingTier'), '\"}')) | |
| ) | |
| ]", | |
| "sentinelSku": "[ | |
| if( |
TheCloudScout
/ sentinel-arm-template-capacityreservation
Created
February 2, 2022 08:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "resources": [ | |
| { | |
| "type": "microsoft.operationalinsights/workspaces", | |
| "apiVersion": "2021-06-01", | |
| "name": "[parameters('logAnalyticsName')]", | |
| "location": "[parameters('location')]", | |
| "properties": { | |
| "sku": { | |
| "name": "capacityreservation", | |
| "capacityReservationLevel": 100 |
TheCloudScout
/ sentinel-arm-template-paypergb
Last active
February 2, 2022 08:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "resources": [ | |
| { | |
| "type": "microsoft.operationalinsights/workspaces", | |
| "apiVersion": "2021-06-01", | |
| "name": "[parameters('logAnalyticsName')]", | |
| "location": "[parameters('location')]", | |
| "properties": { | |
| "sku": { | |
| "name": "pergb2018" | |
| }, |
TheCloudScout
/ parse demo - AzureFirewallNetworkRuleLogs
Created
January 12, 2022 17:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // This parser with pars string messages in the "msg_s" colomn provided by Azure Firewall diagnostics logs. | |
| // Due to the native of these logs it's impossible to parse all data with a single "parse" statement | |
| // Because there are six different parsers needed all data is deviced into their respective parser type by | |
| // using parse-where sometime in conjuction with an addition "where" statement to prevent duplicates | |
| // | |
| // Create by Koos Goossens @ Wortell Last updated: January 10th 2022 | |
| // | |
| let AzureFirewallNetworkRuleLogs = AzureDiagnostics | |
| | where Category == "AzureFirewallNetworkRule" |
TheCloudScout
/ parse demo - AzureFirewallApplicationRuleLogs
Created
January 12, 2022 17:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // This parser with pars string messages in the "msg_s" colomn provided by Azure Firewall diagnostics logs. | |
| // Due to the native of these logs it's impossible to parse all data with a single "parse" statement | |
| // Because there are six different parsers needed all data is deviced into their respective parser type by | |
| // using parse-where sometime in conjuction with an addition "where" statement to prevent duplicates | |
| // | |
| // Created by Koos Goossens @ Wortell Last updated: January 10th 2022 | |
| // | |
| let AzureFirewallApplicationRuleLogs = AzureDiagnostics | |
| | where OperationName == "AzureFirewallApplicationRuleLog"; |
TheCloudScout
/ parse demo - Azure Firewall network rule logs
Created
January 12, 2022 17:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let AzureFirewallNetworkRulesLogsSample = datatable( msg_s:string ) | |
| [ | |
| "ICMP Type=8 request from 10.0.0.1 to 10.0.0.2. Action: Allow.", | |
| "TCP request from 10.0.0.1:56088 to 10.0.0.2:443. Action: Allow.", | |
| "HTTP request from 10.0.0.1:62504 to ocsp.sca1b.amazontrust.com:80. Url: ocsp.sca1b.amazontrust.com/MFE=. Action: Deny. ThreatIntel: Bot Networks", | |
| "HTTPS request from 10.0.0.1:53415 to tags.bluekai.com:443. Action: Deny. ThreatIntel: Phishing Url", | |
| "ICMP request from 10.0.0.1: to 10.0.0.2:. Action: alert. Signature: 2100366. IDS: ICMP_INFO PING *NIX. Priority: 3. Classification: Misc activity" | |
| ]; |
TheCloudScout
/ parse demo - Azure Firewall application rule logs
Last active
January 12, 2022 16:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let AzureFirewallApplicationRulesLogsSample = datatable( msg_s:string ) | |
| [ | |
| "HTTP request from 10.0.0.1:50776 to ocsp.msocsp.com:80. Url: ocsp.msocsp.com/MFQ=. Action: Allow. Policy: azfwpolicy-nbfw-prd-weeu-01. Rule Collection Group: DefaultApplicationRuleCollectionGroup. Rule Collection: generic-allow-500. Rule: Azure-to-AllowedServices, HTTP", | |
| "HTTPS request from 10.0.0.1:49553 to guestconfiguration.azure.com:443. Action: Allow. Policy: azfwpolicy-nbfw-prd-weeu-01. Rule Collection Group: DefaultApplicationRuleCollectionGroup. Rule Collection: enablement-genericwebcategory-prd-allow-200. Rule: Allowed Business-Use Webcategories. Web Category: ComputersAndTechnology", | |
| "HTTP request from 10.0.0.1:53717 to ocsp.usertrust.com:80. Url: ocsp.usertrust.com/MFEk=. Action: Deny. No rule matched. Proceeding with default action", | |
| "HTTPS request from 10.0.0.1:62773 to settings-win.data.microsoft.com:443. Action: Deny. No rule matched. Proceeding with default action", | |
| "HTTPS request from 10.0.0.1:590 |
TheCloudScout
/ Parse demo - parse inception - performance optimized
Created
January 12, 2022 15:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let unparsedData = datatable( string_:string ) | |
| [ | |
| "Country: United States City: Chicago Local dish: Deep dish pizza", | |
| "City: New York City Attraction: Statue of Liberty Local dish: Cheesecake", | |
| "Country: United States State: NV Population: 641903 Attraction: Fremont Street", | |
| "State: CA City:San Francisco Population: 873965 Attraction: Golden Gate Bridge Local dish: Clam Chowder" | |
| ]; | |
| let parser1 = unparsedData | |
| | where string_ has_all("Country:", "City:", "dish:") | |
| | parse-where string_ with * |
TheCloudScout
/ Parse demo - parse inception
Last active
January 12, 2022 15:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let unparsedData = datatable( string_:string ) | |
| [ | |
| "Country: United States City: Chicago Local dish: Deep dish pizza", | |
| "City: New York City Attraction: Statue of Liberty Local dish: Cheesecake", | |
| "Country: United States State: NV Population: 641903 Attraction: Fremont Street", | |
| "State: CA City:San Francisco Population: 873965 Attraction: Golden Gate Bridge Local dish: Clam Chowder" | |
| ]; | |
| let parser1 = unparsedData | |
| | parse-where string_ with * | |
| "Country: " country:string |