Forum Discussion

ajaznawaz's avatar
ajaznawaz
Copper Contributor
Mar 17, 2022

KQL Query sought for Source and Destination IP and TCP Port

Log analytics is ON and I wish to run a KQL query as described in the title. In terms of time duration it can be for last 24hours for example. This is for traffic going through Azure firewall.   I ...
azure monitor
ajaznawaz's avatar
ajaznawaz
Copper Contributor
Mar 17, 2022

ajaznawaz 

 

I tried this, seems to be working. I guess there a few different ways to skin this cat hey ..

Any tips would be appreciated, atm just doing trial and error ๐Ÿ˜‰

 

AzureDiagnostics
| where TimeGenerated > ago(1h)
and Category == "AzureFirewallNetworkRule"
and msg_s contains "Deny"
and msg_s contains "TCP"
and msg_s contains "from 192.6.2.41"
and msg_s contains "to 192.6.56.107"

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 17, 2022

ajaznawaz 

 

As you say, many ways, there is 

AzureDiagnostics
| where TimeGenerated > ago(1h)
| where Category  == 'AzureFirewallNetworkRule'
| where msg_s has_any ('Deny','TCP')
// this was from an old exmaple, I think its right but I dont have data to test 
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort " was " Action " to " NatDestination
| where DestinationIP == '2.2.2.2' and SourceIP =='1.1.1.1'

 

There is an example in the Community Github: 
AzureMonitorCommunity/Azure Services/Firewalls/Queries/Firewall Logs at master ยท microsoft/AzureMonitorCommunity (github.com)

Resources