Public/LogAnalytics.ps1
function New-LogAnalyticsWorkspace{ [CmdletBinding()] param( [Parameter(Mandatory, ValueFromPipeline)][pscustomobject]$Payload ) $RGName = $Payload.RGName $Location = $Payload.Location $NameSuffix = $Payload.NameSuffix $WorkspaceName = "log-analytics-" + $NameSuffix $FirewallName = $Payload.FirewallName $SubscriptionId = (Get-AzContext).Subscription.id $Query = "AzureDiagnostics | where Category == 'AzureFirewallNetworkRule'" #Create a new workspace for Log Analytics New-AzOperationalInsightsWorkspace -Location $Location -Name $WorkspaceName -Sku Standard -ResourceGroupName $RGName #After provisioning Log Analytics workspace, enable diagnostic logging for firewall $diagSettings = @{ Name = "firewallLogAnalytics" ResourceId = "/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Network/azureFirewalls/$FirewallName" WorkspaceId = "/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName" Enabled = $true } #Enable diagnostic logging for firewall and assign destination to newly created Log Analytics workspace Set-AzDiagnosticSetting @diagSettings #Create saved query to execute in Log Analytics New-AzOperationalInsightsSavedSearch -ResourceGroupName $RGName -WorkspaceName $WorkspaceName -SavedSearchId "FWAccessSearchID" -DisplayName "FirewallAccess" -Category "FWAccess" -Query $Query -Version "1" -Force $Payload | Add-Member -MemberType NoteProperty -Name 'WorkspaceName' -Value $WorkspaceName [pscustomobject]$Payload } |