Mar 17 2022
- last edited on
Apr 08 2022
Log analytics is ON and I wish to run a KQL query as described in the title. In terms of time duration it can be for last 24hours for example. This is for traffic going through Azure firewall.
I just want to be able to specify a host and destination IP address, with TCP port 443 for example.
I've searched, but nothing this specific found and I don't come from a 'script writing' background neither, though I do accept that must change going forwards.
Mar 17 2022 09:47 AM
I tried this, seems to be working. I guess there a few different ways to skin this cat hey ..
Any tips would be appreciated, atm just doing trial and error ;)
| where TimeGenerated > ago(1h)
and Category == "AzureFirewallNetworkRule"
and msg_s contains "Deny"
and msg_s contains "TCP"
and msg_s contains "from 220.127.116.11"
and msg_s contains "to 18.104.22.168"
Mar 17 2022 11:51 AM
As you say, many ways, there is
AzureDiagnostics | where TimeGenerated > ago(1h) | where Category == 'AzureFirewallNetworkRule' | where msg_s has_any ('Deny','TCP') // this was from an old exmaple, I think its right but I dont have data to test | parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort " was " Action " to " NatDestination | where DestinationIP == '22.214.171.124' and SourceIP =='126.96.36.199'
There is an example in the Community Github:
AzureMonitorCommunity/Azure Services/Firewalls/Queries/Firewall Logs at master · microsoft/AzureMoni...