-
Notifications
You must be signed in to change notification settings - Fork 5
/
template.json
64 lines (64 loc) · 17 KB
/
template.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
"defaultValue": "NetworkDebug",
"metadata": {
"description": "The friendly name for the workbook that is used in the Gallery or Saved List. Needs to be unique in the scope of the resource group and source"
}
},
"workbookType": {
"type": "string",
"defaultValue": "workbook",
"metadata": {
"description": "The gallery that the workbook will been shown under. Supported values include workbook, `tsg`, Azure Monitor, etc."
}
},
"workbookSourceId": {
"type": "string",
"defaultValue": "Azure Monitor",
"metadata": {
"description": "The id of resource instance to which the workbook will be associated"
}
},
"workbookId": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "The unique guid for this workbook instance"
}
},
"workbookSerializedData": {
"type": "string",
"defaultValue": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Network Debug Workbook\\n## Content\\nThis workbook gives Insights from your Network Security Group [(NSG) flow logs](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview?WT.mc_id=AZ-MVP-5003548) that are sent to your Log Analytics workspaces among any Subscriptions that you have acces within your Azure AD Tenant.\\n\\n## Reference articles\\n💡 [Enable NSG Flow logs with Traffic Analytics](https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics?WT.mc_id=AZ-MVP-5003548)\\n\\n💡 [Schema and data aggregation in Traffic Analytics](https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema?WT.mc_id=AZ-MVP-5003548)\\n\\n💡 [Learn how to pick a set of resources to analyze in workbooks](https://github.com/microsoft/Application-Insights-Workbooks/tree/master/Workbooks/Azure%20Monitor%20-%20Getting%20Started/Resource%20Picker?WT.mc_id=AZ-MVP-5003548)\\n\\n💡 [Sample queries](http://harvestingclouds.com/post/troubleshooting-azure-networking-checking-allowed-and-denied-traffic-in-network-security-groups-nsgs-via-log-analytics-queries/?WT.mc_id=AZ-MVP-5003548)\"},\"name\":\"Help message\",\"styleSettings\":{\"margin\":\"20px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::all\"],\"parameters\":[{\"id\":\"0e85e0e4-a7e8-4ea8-b291-e444c317843a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource types\",\"type\":7,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"microsoft.network/networksecuritygroups\"],\"isHiddenWhenLocked\":true,\"typeSettings\":{\"additionalResourceOptions\":[],\"includeAll\":true}},{\"id\":\"1f74ed9a-e3ed-498d-bd5b-f68f3836a117\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"label\":\"Subscriptions\",\"type\":6,\"description\":\"All subscriptions\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1\",\"crossComponentResources\":[\"value::selected\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"b616a3a3-4271-4208-b1a9-a92a78efed08\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceGroups\",\"label\":\"Resource groups\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project value = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), label = resourceGroup, selected = false\",\"crossComponentResources\":[\"{Subscription}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"f60ea0a0-3703-44ca-a59b-df0246423f41\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resources\",\"label\":\"Network security groups\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroupId in~({ResourceGroups}) or '*' in~({ResourceGroups})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project value = id, label = name, selected = Rank <= 10, group = resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"2c8553c2-19c7-45f8-b7ae-52eb5bb76e8a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]}},{\"id\":\"7f3ed1ec-b914-4edf-a41d-54180537197d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"mySourceIP\",\"label\":\"Source Ip to filter on\",\"type\":1,\"value\":\"\"},{\"id\":\"03650dfc-ac9a-4817-9798-a1e7c494b598\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"myTargetIP\",\"label\":\"Target Ip to filter on\",\"type\":1,\"value\":\"\"},{\"id\":\"9f522ebc-54ff-472c-b78f-20d3f13c8ecf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"nsgWithFlowLogs\",\"label\":\"NSG With Flow Logs\",\"type\":1,\"query\":\"Resources\\n| where type =~ 'Microsoft.Network/networkWatchers/flowlogs'\\n| extend provisioningState = parse_json(properties).provisioningState \\n| extend targetResourceId = iff(provisioningState == \\\"Succeeded\\\", tostring(parse_json(properties).targetResourceId), \\\"null\\\" ) \\n| distinct targetResourceId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"5061f372-019f-43f6-80f1-2af25f23f4c4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"logWorkspaceWithFlowLogs\",\"type\":5,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\n| where type =~ 'Microsoft.Network/networkWatchers/flowlogs'\\n| order by name asc\\n| extend Rank = row_number()\\n| extend provisioningState = parse_json(properties).provisioningState \\n| extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId)\\n| where workspaceResourceId != \\\"\\\" and provisioningState == \\\"Succeeded\\\"\\n| project value = tostring(parse_json(properties).targetResourceId), label = tostring(parse_json(properties).targetResourceId), workspaceResourceId, provisioningState\\n| distinct workspaceResourceId\",\"crossComponentResources\":[\"value::all\"],\"value\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e10e4ef9-57ea-4d8e-a1fc-43314ac679af\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"action\",\"label\":\"Action to filter on\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[{\\\\\\\"value\\\\\\\":\\\\\\\"A\\\\\\\",\\\\\\\"label\\\\\\\": \\\\\\\"Allow\\\\\\\"},{\\\\\\\"value\\\\\\\":\\\\\\\"D\\\\\\\",\\\\\\\"label\\\\\\\": \\\\\\\"Deny\\\\\\\"}]\\\",\\\"transformers\\\":null}\",\"value\":[\"D\",\"A\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":8},{\"id\":\"76e9b4c9-7e59-41de-ab5f-bbf68ebda1fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"nsgWithTrafficAnalytics\",\"label\":\"NSG With Flow Logs and Traffic Analytics\",\"type\":1,\"query\":\"Resources\\n| where type =~ 'Microsoft.Network/networkWatchers/flowlogs'\\n| extend provisioningState = parse_json(properties).provisioningState \\n| extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId)\\n| extend targetResourceId = iff(notempty(workspaceResourceId) and provisioningState == \\\"Succeeded\\\", tostring(parse_json(properties).targetResourceId), \\\"null\\\" ) \\n| distinct targetResourceId\",\"crossComponentResources\":[\"value::all\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"above\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Core parameters\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type =~ 'microsoft.network/networksecuritygroups'\\r\\n| extend flowLogs = \\\"{nsgWithFlowLogs}\\\" has id\\r\\n| extend trafficAnalytics = \\\"{nsgWithTrafficAnalytics}\\\" has id\\r\\n| project Subscription = subscriptionId, ['Resource group'] = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), ['Network Security Group'] = id, [\\\"Location\\\"]=location, [\\\"Flow Logs\\\"]=flowLogs, [\\\"Traffic Analytics\\\"]=trafficAnalytics\",\"size\":1,\"title\":\"Network Security Groups\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Subscription\",\"formatter\":15,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Resource group\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Flow Logs\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"success\",\"text\":\"Enabled\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"disabled\",\"text\":\"Disabled\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Traffic Analytics\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"1\",\"representation\":\"success\",\"text\":\"Enabled\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"disabled\",\"text\":\"Disabled\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"unknown\",\"text\":\"unknown\"}]}},{\"columnMatch\":\"Flow logs\",\"formatter\":11,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true},\"sortBy\":[]},\"showPin\":true,\"name\":\"Network Security Groups\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureNetworkAnalytics_CL \\n| where FlowStartTime_t {TimeRange} \\n| extend SourceIP=SrcIP_s\\n| extend DestinationIP=DestIP_s\\n| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]\\n| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])\\n| extend NSGName=tostring(split(NSGList_s,'/',2)[0])\\n| where Subscription1_g in~ ({Subscription:subid}) or Subscription2_g in~ ({Subscription:subid})\\n| summarize Count=count() by [\\\"Flow Type\\\"]=FlowType_s\\n| render barchart\",\"size\":0,\"title\":\"Flow Type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{logWorkspaceWithFlowLogs}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Protocol\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Protocol\",\"sortOrder\":1}]},\"name\":\"Flow Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureNetworkAnalytics_CL \\n| where FlowStartTime_t {TimeRange} \\n| extend SourceIP=SrcIP_s\\n| extend DestinationIP=DestIP_s\\n| extend NSGRuleAction =tostring(split(NSGRules_s,'|',3)[0])\\n| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])\\n| extend NSGName=tostring(split(NSGList_s,'/',2)[0])\\n| where \\\"{action}\\\" has NSGRuleAction\\n| where SourceIP has \\\"{mySourceIP}\\\" \\n| where Subscription1_g in~ ({Subscription:subid}) or Subscription2_g in~ ({Subscription:subid})\\n| project SourceIP, DestinationIP, DestinationPort=DestPort_d, Protocol=L7Protocol_s, [\\\"RuleAction\\\"]=NSGRuleAction, FlowStartTime_t, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s\\n| sort by FlowStartTime_t desc\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Filter from source Ip\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{logWorkspaceWithFlowLogs}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RuleAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"D\",\"representation\":\"disabled\",\"text\":\"Deny\"},{\"operator\":\"==\",\"thresholdValue\":\"A\",\"representation\":\"success\",\"text\":\"Allow\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"question\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":100,\"filter\":true},\"sortBy\":[]},\"name\":\"Filter from source Ip\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureNetworkAnalytics_CL \\n| where FlowStartTime_t {TimeRange} \\n| extend SourceIP=SrcIP_s\\n| extend DestinationIP=DestIP_s\\n| extend NSGRuleAction =tostring(split(NSGRules_s,'|',3)[0])\\n| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])\\n| extend NSGName=tostring(split(NSGList_s,'/',2)[0])\\n| where \\\"{action}\\\" has NSGRuleAction \\n| where DestinationIP has \\\"{myTargetIP}\\\"\\n| where Subscription1_g in~ ({Subscription:subid}) or Subscription2_g in~ ({Subscription:subid})\\n| project SourceIP, DestinationIP, DestinationPort=DestPort_d, Protocol=L7Protocol_s, [\\\"RuleAction\\\"]=NSGRuleAction, FlowStartTime_t, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s\\n| sort by FlowStartTime_t desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Filter from destination Ip\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{logWorkspaceWithFlowLogs}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RuleAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"A\",\"representation\":\"success\",\"text\":\"Allow\"},{\"operator\":\"==\",\"thresholdValue\":\"D\",\"representation\":\"disabled\",\"text\":\"Deny\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"question\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":100,\"filter\":true}},\"name\":\"Filter from destination Ip\",\"styleSettings\":{\"showBorder\":true}}],\"isLocked\":false,\"fallbackResourceIds\":[\"azure monitor\"],\"fromTemplateId\":\"community-Workbooks/Azure Monitor - Getting Started/Resource Picker\"}",
"metadata": {
"description": "Contains the content or payload to be used in the workbook. Use the Resource Manager template from the workbooks UI to get the value"
}
}
},
"resources": [
{
"name": "[parameters('workbookId')]",
"type": "Microsoft.Insights/workbooks",
"location": "[resourceGroup().location]",
"kind": "shared",
"apiVersion": "2018-06-17-preview",
"dependsOn": [],
"properties": {
"displayName": "[parameters('workbookDisplayName')]",
"serializedData": "[parameters('workbookSerializedData')]",
"version": "1.0",
"sourceId": "[parameters('workbookSourceId')]",
"category": "[parameters('workbookType')]"
}
}
],
"outputs": {
"workbookId": {
"type": "string",
"value": "[resourceId( 'Microsoft.Insights/workbooks', parameters('workbookId'))]"
}
}
}