Difference between revisions of "Kusto queries FW"
Jump to navigation
Jump to search
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | ``` | ||
+ | AzureDiagnostics | ||
+ | | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule" | ||
+ | | where msg_s contains "10.1.1.1" | ||
+ | | limit 10 | ||
+ | ``` | ||
+ | |||
+ | regex | ||
+ | ``` | ||
+ | AzureDiagnostics | ||
+ | | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule" | ||
+ | | where msg_s matches regex @"TCP request from 10\.1\.1\.1:\d+ to 10\.2\.2\.2:22" | ||
+ | | limit 10 | ||
+ | ``` | ||
+ | |||
``` | ``` | ||
AzureDiagnostics | AzureDiagnostics | ||
Line 17: | Line 32: | ||
AzureDiagnostics | AzureDiagnostics | ||
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip" | | where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip" | ||
+ | ``` | ||
+ | |||
+ | # Firewall | ||
+ | ``` | ||
+ | AzureDiagnostics | ||
+ | | where Category == "AzureFirewallNetworkRule" | ||
+ | | where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog" | ||
+ | //case 1: for records that look like this: | ||
+ | //PROTO request from IP:PORT to IP:PORT. | ||
+ | | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * | ||
+ | //case 1a: for regular network rules | ||
+ | | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\." | ||
+ | //case 1b: for NAT rules | ||
+ | //TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT | ||
+ | | parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int * | ||
+ | //Parse rule data if present | ||
+ | | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." * | ||
+ | | parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule | ||
+ | //case 2: for ICMP records | ||
+ | //ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow | ||
+ | | parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 | ||
+ | | extend | ||
+ | SourcePort = tostring(SourcePortInt), | ||
+ | TargetPort = tostring(TargetPortInt) | ||
+ | | extend | ||
+ | Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]), | ||
+ | Protocol = case(Protocol == "", Protocol2, Protocol), | ||
+ | SourceIP = case(SourceIP == "", SourceIP2, SourceIP), | ||
+ | TargetIP = case(TargetIP == "", TargetIP2, TargetIP), | ||
+ | //ICMP records don't have port information | ||
+ | SourcePort = case(SourcePort == "", "N/A", SourcePort), | ||
+ | TargetPort = case(TargetPort == "", "N/A", TargetPort), | ||
+ | //Regular network rules don't have a DNAT destination | ||
+ | TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination), | ||
+ | TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)), | ||
+ | //Rule information | ||
+ | Policy = case(Policy == "", "N/A", Policy), | ||
+ | RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ), | ||
+ | RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ), | ||
+ | Rule = case(Rule == "", "N/A", Rule) | ||
+ | | project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule | ||
+ | | where SourceIP like "10.2.1.1" and TargetIP like "10.3.1.1" | ||
+ | |||
+ | |||
+ | ``` | ||
+ | |||
+ | |||
+ | # Unvalidated | ||
+ | ``` | ||
+ | AzureDiagnostics | ||
+ | | where ResourceType == "AZUREFIREWALLS" | ||
+ | | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule" or Category == "AzureFirewallDnsProxy" | ||
+ | | where tostring(parse_json(msg_s)) contains "192.168.1.1" | ||
+ | | project TimeGenerated, msg_s, Resource, ResourceGroup, SubscriptionId | ||
+ | | order by TimeGenerated desc | ||
``` | ``` |
Latest revision as of 16:11, 18 November 2024
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule" | where msg_s contains "10.1.1.1" | limit 10
regex
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule" | where msg_s matches regex @"TCP request from 10\.1\.1\.1:\d+ to 10\.2\.2\.2:22" | limit 10
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallNetworkRuleLog" | where msg_s contains "TCP" | where msg_s contains "10.x.x.x" and msg_s contains "Deny" | project msg_s
AzureDiagnostics | where msg_s contains "10.x.x.x" | project msg_s
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip"
Firewall
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog" //case 1: for records that look like this: //PROTO request from IP:PORT to IP:PORT. | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int * //case 1a: for regular network rules | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\." //case 1b: for NAT rules //TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT | parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int * //Parse rule data if present | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." * | parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule //case 2: for ICMP records //ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow | parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2 | extend SourcePort = tostring(SourcePortInt), TargetPort = tostring(TargetPortInt) | extend Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]), Protocol = case(Protocol == "", Protocol2, Protocol), SourceIP = case(SourceIP == "", SourceIP2, SourceIP), TargetIP = case(TargetIP == "", TargetIP2, TargetIP), //ICMP records don't have port information SourcePort = case(SourcePort == "", "N/A", SourcePort), TargetPort = case(TargetPort == "", "N/A", TargetPort), //Regular network rules don't have a DNAT destination TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination), TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)), //Rule information Policy = case(Policy == "", "N/A", Policy), RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ), RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ), Rule = case(Rule == "", "N/A", Rule) | project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule | where SourceIP like "10.2.1.1" and TargetIP like "10.3.1.1"
Unvalidated
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule" or Category == "AzureFirewallDnsProxy" | where tostring(parse_json(msg_s)) contains "192.168.1.1" | project TimeGenerated, msg_s, Resource, ResourceGroup, SubscriptionId | order by TimeGenerated desc