Forum Discussion
KQL Query sought for Source and Destination IP and TCP Port
Log analytics is ON and I wish to run a KQL query as described in the title. In terms of time duration it can be for last 24hours for example. This is for traffic going through Azure firewall.
I just want to be able to specify a host and destination IP address, with TCP port 443 for example.
I've searched, but nothing this specific found and I don't come from a 'script writing' background neither, though I do accept that must change going forwards.
2 Replies
I tried this, seems to be working. I guess there a few different ways to skin this cat hey ..
Any tips would be appreciated, atm just doing trial and error ๐
AzureDiagnostics
| where TimeGenerated > ago(1h)
and Category == "AzureFirewallNetworkRule"
and msg_s contains "Deny"
and msg_s contains "TCP"
and msg_s contains "from 192.6.2.41"
and msg_s contains "to 192.6.56.107"As you say, many ways, there is
AzureDiagnostics | where TimeGenerated > ago(1h) | where Category == 'AzureFirewallNetworkRule' | where msg_s has_any ('Deny','TCP') // this was from an old exmaple, I think its right but I dont have data to test | parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort " was " Action " to " NatDestination | where DestinationIP == '2.2.2.2' and SourceIP =='1.1.1.1'There is an example in the Community Github:
AzureMonitorCommunity/Azure Services/Firewalls/Queries/Firewall Logs at master ยท microsoft/AzureMonitorCommunity (github.com)
