Skip to content
Related Articles

Related Articles

Microsoft Azure – Azure Firewall Flow Logs From Select Source IP

View Discussion
Improve Article
Save Article
Like Article
  • Last Updated : 21 Feb, 2022

In this article, we will be find Azure Firewall Network Flow traffic of Inbound or Outbound from Select Source IP Address by using KQL Query by using the following three scenarios. 

Case 1: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using has Keywords. or you can also has_any() with values separated by comma.

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP has "_add_source_ip_address_here"

Output:

Case 2: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using “==” (Is Equal To Operator). (Exact Source IP Address)

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP == "_add_source_ip_address_here"

Output:

Case 3: KQL Query to find the Azure Firewall Network Logs from Select Source IP Address projecting all the properties of Time Generated, Source IP Address, Target IP Address, Action – Allow or Deny, Network flow message with Protocol and request from and to by using contains Keywords. (If matches contains any)

KQL Query:

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s
| where SourceIP contains "_add_source_ip_address_here"

Output:

My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!