After our previous announcement in August 2023, we want to delve deeper into the enhanced capabilities of the new embedded workbooks. Within Azure, Workbooks serve as a versatile canvas for conducting data analysis and generating visually compelling reports directly within the Azure portal. They empower users to access diverse data sources across Azure, amalgamating them into cohesive, interactive experiences. Workbooks enable the amalgamation of various visualizations and analyses, making them ideal for unrestricted exploration.
Notably, the Azure Firewall Portal has now incorporated embedded workbooks functionality, offering customers a seamless means to analyze Azure Firewall traffic. This feature facilitates the creation of sophisticated visual reports within the Azure portal, allowing users to leverage data from multiple Firewalls deployed across Azure and unify them into interactive, cohesive experiences.
The Embedded Workbook presents users with consolidated information through charts and logs. It is structured into distinct sections, covering Application rules, Network rules, DNS proxy, Intrusion Detection and Prevention System (IDPS), Threat intelligence, and Investigation. Designed to function across multiple tenants and subscriptions, it offers filtering capabilities for various firewalls. Users can filter their firewalls and resource groups, dynamically refining results by category, providing easily interpretable data sets for investigating firewall-related issues. This powerful tool enables users to gain insights into Azure Firewall events, comprehend application and network rules, and access statistics detailing firewall activities across URLs, ports, and IP addresses.
Prerequisites
To use Azure Firewall embedded workbook, you must enable Azure Firewall logging and send it to your analytics workspace. Follow these steps to enable logging:
Note: Make sure that you are using the new ‘resource specific’ table logging and not the legacy ‘azure diagnostics’ for this workbook to properly work. To learn more about the resource specific logs see here Exploring the New Resource Specific Structured Logging in Azure Firewall - Microsoft Community Hub
Getting started
Once you've set up Firewall logging, you're all set to utilize the Azure Firewall embedded workbooks effortlessly using the following straightforward steps:
1- Navigate to your Azure Firewall resource.
2- Under Monitoring, select the Workbooks blade.
3- In Gallery, you should be able to create new workbooks or utilize the existing Azure Firewall workbook as shown below:
4- Select the log analytics workspace and one or more firewall names you would like to use in this workbook as shown below:
Azure Firewall Workbook Sections:
The Azure Firewall workbook comprises seven tabs, each addressing distinct aspects of the service. Let's examine them individually:
1. Overview
The overview tab showcases graphs and statistics related to all types of firewall events aggregated from various logging categories, including Network rules, Application rules, DNS, Intrusion Detection and Prevention System (IDPS), Threat Intelligence, and more. The available widgets in Overview tab include:
2. Application Rules
The Application rules tab shows layer 7 related events statistics correlated with the customer’s specific application rules in Azure firewall policy. Available widgets in Application Rules tab:
3. Network Rules
The Network rules tab shows layer 4 related events statistics correlated with the customer’s specific network rules in Azure firewall policy. Available widgets in Network Rules tab:
4. DNS Proxy
This segment pertains to customers who have set up Azure Firewall to function as a DNS proxy, serving as an intermediary for DNS requests from client virtual machines to a DNS server. The DNS Proxy tab includes various widgets for your use:
5. Intrusion Detection and Prevention System (IDPS)
The IDPS log statistics tab offers a summary of malicious traffic events and the preventive actions undertaken by the service. Within the IDPS tab, you'll find various widgets at your disposal:
6. Threat intelligence (TI)
This page offers a thorough perspective on threat intelligence activities, spotlighting the most prevalent threats, actions, and protocols. It delineates the top 5 Fully Qualified Domain Names (FQDNs) and IP addresses associated with these threats, showcasing threat intelligence detections over time. Additionally, detailed logs from Azure Firewall’s Threat Intelligence are furnished for comprehensive analysis. Within the Threat Intelligence tab, you'll find various widgets for your utilization:
7. Investigation
The investigation section enables exploration and troubleshooting, offering additional details such as the virtual machine name and network interface name associated with the initiation or termination of traffic. It also establishes correlations between source IP addresses, the Fully Qualified Domain Names (FQDNs) they attempt to access as well as geographical location view of your traffic. Widgets available in the Investigation tab:
Conclusion
The Embedded Azure Firewall Workbook emerges as a potent tool, offering users consolidated information through charts and logs. With its versatile filtering capabilities for firewalls and resource groups, coupled with dynamic category filtering, it provides easily interpretable data sets for investigating log-related issues. This tool proves invaluable for gaining insights into Azure Firewall events, understanding application and network rules, and accessing statistics on firewall activities spanning DNS, Threat Intel, and IDPS. Designed to seamlessly function across multiple tenants and subscriptions, with filter options for various firewalls, the workbook stands as a valuable addition to Azure Firewall. It significantly enhances the efficiency of monitoring, managing, and troubleshooting your Azure firewalls.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.