Forum Discussion
Preben902
Oct 23, 2019Copper Contributor
Kusto regex for extracting IP adresses
In my AzureDiagnostics for my ResourceType "AzureFirewalls", there's a column named "msg_s". It contains information about IP-adresses trying to request access to another adress. Examples inclu...
CliveWatson
Oct 24, 2019Silver Contributor
I can get the first one, but will have to have a think about the other cases
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where msg_s has "request from"
| extend IPaddr = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,msg_s)
| extend action = iif(msg_s has ": Deny", "Deny", "Allow")
| project IPaddr , msg_s , action
In the meantime the above may help
- CliveWatsonOct 24, 2019Silver Contributor
I also forgot there are some examples on https://docs.microsoft.com/en-us/azure/firewall/log-analytics-samples
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * | parse msg_s with * ". Action: " Action1a | parse msg_s with * " was " Action1b " to " NatDestination | parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 | extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt) | extend Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), Action1a),Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort),NatDestination = case(NatDestination == "", "N/A", NatDestination) | project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, NatDestination
Results
TimeGenerated msg_s Protocol SourceIP SourcePort TargetIP TargetPort Action NatDestination 2019-09-12T15:20:27.718Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A 2019-09-12T15:20:27.765Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A 2019-09-12T15:20:27.843Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A