forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate_WindowsFirewallAma.JSON
More file actions
85 lines (85 loc) · 3.51 KB
/
template_WindowsFirewallAma.JSON
File metadata and controls
85 lines (85 loc) · 3.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
{
"id": "WindowsFirewallAma",
"title": "Windows Firewall Events via AMA",
"publisher": "Microsoft",
"descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ASimNetworkSessionLogs",
"baseQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\""
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"\n | sort by TimeGenerated"
}
],
"connectivityCriterias": [
{
"type": "ASimNetworkSessionLogs",
"value": null
}
],
"dataTypes": [
{
"name": "ASimNetworkSessionLogs",
"lastDataReceivedQuery": "ASimNetworkSessionLogs\n| where EventProduct == \"Windows Firewall\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 2,
"isPreview": false,
"featureFlag": {
"feature": "WindowsFirewallAMA",
"featureStates": {
"1": 1,
"2": 1,
"3": 1,
"4": 1
}
}
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces/datasources",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace data sources",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
}
]
},
"instructionSteps": [
{
"title": "Enable data collection rule",
"description": "> Windows Firewall events are collected only from Windows agents.",
"instructions": [
{
"type": "WindowsFirewallAma"
}
]
},
{
"instructions": [
{
"parameters": {
"linkType": "OpenCreateDataCollectionRule",
"dataCollectionRuleType": 5
},
"type": "InstallAgent"
}
]
}
]
}