Forum Discussion
Preben902
Oct 23, 2019Copper Contributor
Kusto regex for extracting IP adresses
In my AzureDiagnostics for my ResourceType "AzureFirewalls", there's a column named "msg_s". It contains information about IP-adresses trying to request access to another adress. Examples inclu...
CliveWatson
Oct 24, 2019Silver Contributor
I can get the first one, but will have to have a think about the other cases
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where msg_s has "request from"
| extend IPaddr = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,msg_s)
| extend action = iif(msg_s has ": Deny", "Deny", "Allow")
| project IPaddr , msg_s , action
In the meantime the above may help
CliveWatson
Oct 24, 2019Silver Contributor
I also forgot there are some examples on https://docs.microsoft.com/en-us/azure/firewall/log-analytics-samples
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse msg_s with * ". Action: " Action1a
| parse msg_s with * " was " Action1b " to " NatDestination
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)
| extend Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), Action1a),Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort),NatDestination = case(NatDestination == "", "N/A", NatDestination)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, NatDestination
Results
TimeGenerated | msg_s | Protocol | SourceIP | SourcePort | TargetIP | TargetPort | Action | NatDestination |
---|---|---|---|---|---|---|---|---|
2019-09-12T15:20:27.718Z | TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny | TCP | 10.249.96.136 | 49925 | 13.94.141.226 | 12000 | Deny | N/A |
2019-09-12T15:20:27.765Z | TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny | TCP | 10.249.96.136 | 49925 | 13.94.141.226 | 12000 | Deny | N/A |
2019-09-12T15:20:27.843Z | TCP request from 10.249.96.136:49925 to 13.94.141.226:12000. Action: Deny | TCP | 10.249.96.136 | 49925 | 13.94.141.226 | 12000 | Deny | N/A |