KQL Query sought for Source and Destination IP and TCP Port

New Contributor

Log analytics is ON and I wish to run a KQL query as described in the title. In terms of time duration it can be for last 24hours for example. This is for traffic going through Azure firewall.


I just want to be able to specify a host and destination IP address, with TCP port 443 for example.


I've searched, but nothing this specific found and I don't come from a 'script writing' background neither,  though I do accept that must change going forwards.

2 Replies



I tried this, seems to be working. I guess there a few different ways to skin this cat hey ..

Any tips would be appreciated, atm just doing trial and error ;)


| where TimeGenerated > ago(1h)
and Category == "AzureFirewallNetworkRule"
and msg_s contains "Deny"
and msg_s contains "TCP"
and msg_s contains "from"
and msg_s contains "to"



As you say, many ways, there is 

| where TimeGenerated > ago(1h)
| where Category  == 'AzureFirewallNetworkRule'
| where msg_s has_any ('Deny','TCP')
// this was from an old exmaple, I think its right but I dont have data to test 
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort " was " Action " to " NatDestination
| where DestinationIP == '' and SourceIP ==''


There is an example in the Community Github: 
AzureMonitorCommunity/Azure Services/Firewalls/Queries/Firewall Logs at master · microsoft/AzureMoni...