Difference between revisions of "Kusto queries FW"
Jump to navigation
Jump to search
| Line 17: | Line 17: | ||
AzureDiagnostics | AzureDiagnostics | ||
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip" | | where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip" | ||
| + | ``` | ||
| + | |||
| + | # Firewall | ||
| + | ``` | ||
| + | AzureDiagnostics | ||
| + | | where Category == "AzureFirewallNetworkRule" | ||
| + | | where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog" | ||
| + | //case 1: for records that look like this: | ||
| + | //PROTO request from IP:PORT to IP:PORT. | ||
| + | | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * | ||
| + | //case 1a: for regular network rules | ||
| + | | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\." | ||
| + | //case 1b: for NAT rules | ||
| + | //TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT | ||
| + | | parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int * | ||
| + | //Parse rule data if present | ||
| + | | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." * | ||
| + | | parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule | ||
| + | //case 2: for ICMP records | ||
| + | //ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow | ||
| + | | parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 | ||
| + | | extend | ||
| + | SourcePort = tostring(SourcePortInt), | ||
| + | TargetPort = tostring(TargetPortInt) | ||
| + | | extend | ||
| + | Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]), | ||
| + | Protocol = case(Protocol == "", Protocol2, Protocol), | ||
| + | SourceIP = case(SourceIP == "", SourceIP2, SourceIP), | ||
| + | TargetIP = case(TargetIP == "", TargetIP2, TargetIP), | ||
| + | //ICMP records don't have port information | ||
| + | SourcePort = case(SourcePort == "", "N/A", SourcePort), | ||
| + | TargetPort = case(TargetPort == "", "N/A", TargetPort), | ||
| + | //Regular network rules don't have a DNAT destination | ||
| + | TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination), | ||
| + | TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)), | ||
| + | //Rule information | ||
| + | Policy = case(Policy == "", "N/A", Policy), | ||
| + | RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ), | ||
| + | RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ), | ||
| + | Rule = case(Rule == "", "N/A", Rule) | ||
| + | | project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule | ||
| + | | where SourceIP like "10.2.1.1" and TargetIP like "10.3.1.1" | ||
| + | |||
| + | |||
``` | ``` | ||
Revision as of 23:20, 19 August 2024
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallNetworkRuleLog" | where msg_s contains "TCP" | where msg_s contains "10.x.x.x" and msg_s contains "Deny" | project msg_s
AzureDiagnostics | where msg_s contains "10.x.x.x" | project msg_s
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip"
Firewall
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
//case 1: for records that look like this:
//PROTO request from IP:PORT to IP:PORT.
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
//case 1a: for regular network rules
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
//case 1b: for NAT rules
//TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT
| parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int *
//Parse rule data if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
//case 2: for ICMP records
//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend
SourcePort = tostring(SourcePortInt),
TargetPort = tostring(TargetPortInt)
| extend
Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]),
Protocol = case(Protocol == "", Protocol2, Protocol),
SourceIP = case(SourceIP == "", SourceIP2, SourceIP),
TargetIP = case(TargetIP == "", TargetIP2, TargetIP),
//ICMP records don't have port information
SourcePort = case(SourcePort == "", "N/A", SourcePort),
TargetPort = case(TargetPort == "", "N/A", TargetPort),
//Regular network rules don't have a DNAT destination
TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination),
TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)),
//Rule information
Policy = case(Policy == "", "N/A", Policy),
RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ),
RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ),
Rule = case(Rule == "", "N/A", Rule)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule
| where SourceIP like "10.2.1.1" and TargetIP like "10.3.1.1"