From b5fc4d2798945e7778956df45dcd984adf69de6b Mon Sep 17 00:00:00 2001
From: Jose Miguel <105994471+tabasco-dev@users.noreply.github.com>
Date: Wed, 11 Feb 2026 09:57:00 +0100
Subject: [PATCH] Add KQL query for hits by rule collection

This query counts the number of hits by rule collection for Azure Firewall during a specified time period.
---
 .../Queries/Firewall Logs/Hits by rule collection.kql | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 Azure Services/Firewalls/Queries/Firewall Logs/Hits by rule collection.kql

diff --git a/Azure Services/Firewalls/Queries/Firewall Logs/Hits by rule collection.kql b/Azure Services/Firewalls/Queries/Firewall Logs/Hits by rule collection.kql
new file mode 100644
index 00000000..884b3d76
--- /dev/null
+++ b/Azure Services/Firewalls/Queries/Firewall Logs/Hits by rule collection.kql	
@@ -0,0 +1,11 @@
+// Author: tabasco-dev
+// Display name: Hits by rule collection
+// Description: Counts number of hits by rule collection during specific period of time
+// Categories: Network
+// Resource types: Firewalls
+// Topic: Firewall Logs
+
+AZFWNetworkRule 
+| where TimeGenerated between (datetime('2026-02-10T11:40:00Z') .. datetime('2026-02-10T11:42:00Z'))
+| summarize Hits = count() by Rule, RuleCollection, Action
+| top 20 by Hits desc