Kusto queries FW
Jump to navigation
Jump to search
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule" | where msg_s contains "10.1.1.1" | limit 10
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallNetworkRuleLog" | where msg_s contains "TCP" | where msg_s contains "10.x.x.x" and msg_s contains "Deny" | project msg_s
AzureDiagnostics | where msg_s contains "10.x.x.x" | project msg_s
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and src_ip_s == "source_ip" and dest_ip_s == "destination_ip"
Firewall
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
//case 1: for records that look like this:
//PROTO request from IP:PORT to IP:PORT.
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
//case 1a: for regular network rules
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
//case 1b: for NAT rules
//TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT
| parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int *
//Parse rule data if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
//case 2: for ICMP records
//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend
SourcePort = tostring(SourcePortInt),
TargetPort = tostring(TargetPortInt)
| extend
Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]),
Protocol = case(Protocol == "", Protocol2, Protocol),
SourceIP = case(SourceIP == "", SourceIP2, SourceIP),
TargetIP = case(TargetIP == "", TargetIP2, TargetIP),
//ICMP records don't have port information
SourcePort = case(SourcePort == "", "N/A", SourcePort),
TargetPort = case(TargetPort == "", "N/A", TargetPort),
//Regular network rules don't have a DNAT destination
TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination),
TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)),
//Rule information
Policy = case(Policy == "", "N/A", Policy),
RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ),
RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ),
Rule = case(Rule == "", "N/A", Rule)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule
| where SourceIP like "10.2.1.1" and TargetIP like "10.3.1.1"
Unvalidated
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule" or Category == "AzureFirewallDnsProxy" | where tostring(parse_json(msg_s)) contains "192.168.1.1" | project TimeGenerated, msg_s, Resource, ResourceGroup, SubscriptionId | order by TimeGenerated desc