Forum Discussion

Preben902's avatar
Preben902
Copper Contributor
Oct 23, 2019

Kusto regex for extracting IP adresses

In my AzureDiagnostics for my ResourceType "AzureFirewalls", there's a column named "msg_s".  It contains information about IP-adresses trying to request access to another adress.   Examples inclu...
azure monitor
Query Language
CliveWatson's avatar
CliveWatson
Silver Contributor
Oct 24, 2019

Preben902 

 

I can get the first one, but will have to have a think about the other cases 

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" 
| where msg_s has "request from"
| extend IPaddr = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,msg_s) 
| extend action = iif(msg_s has ": Deny", "Deny", "Allow") 
| project IPaddr , msg_s , action

In the meantime the above may help 

CliveWatson's avatar
CliveWatson
Silver Contributor
Oct 24, 2019

@Preben902 

 

I also forgot there are some examples on https://docs.microsoft.com/en-us/azure/firewall/log-analytics-samples

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse msg_s with * ". Action: " Action1a
| parse msg_s with * " was " Action1b " to " NatDestination
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)
| extend Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), Action1a),Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort),NatDestination = case(NatDestination == "", "N/A", NatDestination)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, NatDestination

 

Results

TimeGenerated msg_s Protocol SourceIP SourcePort TargetIP TargetPort Action NatDestination
2019-09-12T15:20:27.718Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A
2019-09-12T15:20:27.765Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A
2019-09-12T15:20:27.843Z TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny TCP 10.249.96.136 49925 13.94.141.226 12000 Deny N/A

Resources