Azure Firewall logs Kusto Query

Venu Gopal Krishna VV 100 Reputation points
2023-05-03T05:38:22.19+00:00

Dear Member,

 

In Azure firewall i have configured the rule block, now i want to check the traffic it is supposed to deny and does it still allow the other traffic.

can someone please help with the Kusto Query on this if the rule block is allowing traffic or deny .

 

appreciate for help in this

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
665 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 45,366 Reputation points Microsoft Employee
    2023-05-04T08:25:44.2166667+00:00

    @Venu Gopal Krishna VV

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I reproduced your environment and arrived at the below query.

    AzureDiagnostics
    | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
    | extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
    | extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
    | parse msg_s with * " Web Category: " WebCategory
    | extend msg_s = replace(@'(. Web Category:).*','', msg_s)
    | parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
    | extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
    | parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
    | extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
    // extract Policy information, then remove it from further parsing
    | parse msg_s with * ". Policy: " Policy
    | extend msg_s = replace(@'(. Policy:).*','', msg_s)
    | parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
    | extend msg_s = replace(@'(. Signature:).*','', msg_s)
    | parse msg_s with * " was DNAT'ed to " NatDestination
    | extend msg_s = replace(@"( was DNAT'ed to ).*",". Action: DNAT", msg_s)
    // extract Threat Intellingence info, then remove it from further parsing
    | parse msg_s with * ". ThreatIntel: " ThreatIntel
    | extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)
    // extract URL, then remove it from further parsing
    | extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
    | extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
    | parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
    | extend 
        SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
        SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
        Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
        TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
        Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
        Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
        RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
        RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection),
        IDSSignatureID = tostring(IDSSignatureIDInt),
        IDSPriority = tostring(IDSPriorityInt)
    | project TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
    | where Action == "Deny"
    //| where Rule == "<YOURRULENAME>"
    | order by TimeGenerated
    | limit 100
    

    Please replace <YOURRULENAME> with your rule name (removing the comment)

    or if you want all Deny, you can comment this out

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.