Open In App

Microsoft Azure – Firewall Network Flow Logs with TimeGenerated using KQL

Last Updated : 31 Mar, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

Here, In this article, we will be using the azure kql log queries to fetch the azure network flow logs traffic flowing through by setting the time using TimeGenerated in query. We will look into a few various examples and how we can use them to filter the results.

KQL Query Example 1:

To find the Azure network logs of Inbound and Outbound for the last 12 hours by projecting the TimeGenerated, Protocol, SourceIP, Target, Action, and Complete display message of Network flow log.

AzureDiagnostics
| where TimeGenerated > ago(12h)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, Protocol, SourceIP, Target, Action, Complete_MSG=msg_s

Output:

KQL Query Example 2:

To find the Azure network logs of Inbound and Outbound for the last 5 minutes by projecting the TimeGenerated, Protocol, SourceIP, Target, Action, and Complete display message of Network flow log.

AzureDiagnostics
| where TimeGenerated > ago(5m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

Output:

KQL Query Example 3:

To find the Azure network logs of Inbound and Outbound for the last 7 days by projecting the TimeGenerated, Protocol, SourceIP, Target, Action, and Complete display message of Network flow log.

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

Output:

KQL Query Example 4:

To find the Azure network logs of Inbound and Outbound with time range using between keyword and to projecting the TimeGenerated, Protocol, SourceIP, Target, Action and Complete display message of Network flow log.

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

Output:


Like Article
Suggest improvement
Previous
Microsoft Azure - Heartbeat KQL Log Monitoring Query
Next
Microsoft Azure - Setting up a Auto Shutdown For Azure Virtual Machine
Share your thoughts in the comments

Similar Reads

Microsoft Azure - Azure Firewall Flow Logs From Select Source IP
Microsoft Azure - Enabling Logs for Troubleshooting the Azure Firewall Rules
Microsoft Azure - Azure VM Disk Space in Percentage using Azure KQL
Microsoft Azure - Query Azure Storage Logs in Azure Monitor Log Analytics
Microsoft Azure - Export the List of Azure Storage Services using KQL
Microsoft Azure - Query System Event Log Data Using Azure KQL
Microsoft Azure - Tracking Memory Utilization of Azure VM using KQL Log Query
Microsoft Azure - Track CPU Utilization of a Azure Virtual Machines using KQL Log Query
Microsoft Azure - Check Resource Owner in Azure using KQL
Microsoft Azure - Query Application Event Log Data using Azure KQL
author
jaysurya9
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox