Open In App

Microsoft Azure – Azure Firewall Flow Logs From Select Source IP

Last Updated : 30 Mar, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will be find Azure Firewall Network Flow traffic of Inbound or Outbound from Select Source IP Address by using KQL Query by using the following three scenarios. 

Case 1: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using has Keywords. or you can also has_any() with values separated by comma.

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP has "_add_source_ip_address_here"

Output:

Case 2: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using “==” (Is Equal To Operator). (Exact Source IP Address)

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP == "_add_source_ip_address_here"

Output:

Case 3: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using contains Keywords. (If matches contains any)

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP contains "_add_source_ip_address_here"

Output:


Like Article
Suggest improvement
Previous
Microsoft Azure - Check Enabled and Disabled Diagnostics for Azure Resources
Next
Microsoft Azure - Resource Tagging and Best Practices
Share your thoughts in the comments

Similar Reads

Microsoft Azure - Firewall Network Flow Logs with TimeGenerated using KQL
Microsoft Azure - Enabling Logs for Troubleshooting the Azure Firewall Rules
Microsoft Azure - Query Azure Storage Logs in Azure Monitor Log Analytics
Microsoft Azure - Enable Linux System Logs in Azure for Monitoring
Microsoft Azure - Enable Windows Event Logs in Azure for Monitoring
How to Configure Azure Activity "Administrative" Logs on Azure Subscription using PowerShell?
Microsoft Azure - Enable IIS Logs for Monitoring
Microsoft Azure - Application Gateway Incoming Access Logs
How To Check Usage of Data Logs in Microsoft Azure?
Microsoft Azure - Get Azure VM Properties using Azure PowerShell
author
jaysurya9
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox