Azure Firewall logs Kusto Query and rules processing

Question

Azure Firewall logs Kusto Query and rules processing

Venu Gopal Krishna VV 100

Dear Members,

i have two rule collection groups 1) Allow Rule 2) deny rule group`s

User's image

in allow group there are 40 rules, now i want to check each rule is allowed inside the firewall or not, say for example s as shown below Splunk Cloud is one of the rule in the Allow Action group, now i want to check whether the Splunk Cloud is allowed inside the firewall or not, need help on the Kusto Query please.

User's image

reason for this Ask because here we have deny action group so want to make sure that rules mentioned in the Allow action group were processing correctly.

we are making massive changes in our production firewall by introducing this new Deny action group so making sure nothing is breaking down or effecting the Allow collection group.

can please help on this with the query. appreciate for help in this.

KapilAnanth 49,861 Reputation points Moderator

2023-06-15T09:33:03.0766667+00:00

@Venu Gopal Krishna VV

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth 49,861 Reputation points Moderator

2023-06-19T14:50:28.0466667+00:00

@Venu Gopal Krishna VV

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth 49,861 Reputation points Moderator

2023-06-21T16:24:47.9266667+00:00

@Venu Gopal Krishna VV

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

Your answer

KapilAnanth 49,861 Reputation points Moderator

2023-06-15T09:33:03.0766667+00:00

@Venu Gopal Krishna VV

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil
KapilAnanth 49,861 Reputation points Moderator

2023-06-19T14:50:28.0466667+00:00

@Venu Gopal Krishna VV

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth 49,861 Reputation points Moderator

2023-06-21T16:24:47.9266667+00:00

@Venu Gopal Krishna VV

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

KapilAnanth 49,861 Moderator

@Venu Gopal Krishna VV

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to understand the Rule Processing logic of Azure Firewall

Refer to this for more information on Rule Processing

Now, wrt your specific scenario,

I see your Deny Group has a higher priority than the Allow Group.
This means, as long as there is no Deny Rule inside the Deny Group for "SplunkCloud", the traffic is allowed.
I understand you would like to know the effective Allow/Deny for the "SplunkCloud" traffic using a KUSTO Query.
- AFAIK, it is not feasible to get the effective allow/deny for a specific destination without actual traffic.
- You have to test this by simulating live traffic to "SplunkCloud" and see what rules are being hit on the Firewall.
- If the Allow rule from ALLOW Group is hit, then it's safe to say no rules in the DENY Group are blocking this traffic
- However, if a different rule from DENY Group is hit, then you have to edit this rule to not deny the traffic.
Without simulating actual live traffic, we will not be able to log a DENY/ALLOW Rule.
- So, once you start simulating traffic from a particular VM, note it's IP
- Then you can filter the Firewall Logs using the Source IP as the VM's IP
- Check if it's allowed or denied

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Venu Gopal Krishna VV 100 Reputation points

2023-06-14T07:47:20.67+00:00

Hi @KapilAnanth

appreciate and thank you so much for clear explanation.

we have already live simulation traffic is allowed for "SplunkCloud" to a Azure VM.

Src Ip of Azure VM 10.41.16.84

and here is there a way we can check this "SplunkCloud" is allowed or not with general query without Src Ip?

and second query by mentioning as Src Ip in the query.

can you please help with two queries. thanks for your help again.

KapilAnanth 49,861 Moderator

@KapilAnanth

We can, but instead of specifying this on the query, I would suggest you to run a general query to list all the traffic and further use "Find" feature in the logs section.

Anyways, I shall provide the queries.

Without Source IP (but we use Destination)

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| extend msg_original = msg_s
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend 
    SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
    SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
    Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
    TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
    Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,Action,OperationName,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| where Target contains "splunkcloud.com"

With Source IP

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| extend msg_original = msg_s
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend 
    SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
    SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
    Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
    TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
    Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,Action,OperationName,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| where SourceIP = 10.41.16.84

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Venu Gopal Krishna VV 100 Reputation points

2023-06-14T08:31:48.7133333+00:00

Thanks @KapilAnanth ,

looks like general query will be helpful in this, can you please share General query so that we can check on this.

appreciate for your help.

KapilAnanth 49,861 Moderator

@Venu Gopal Krishna VV

Sure

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
// extract Policy information, then remove it from further parsing
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
| parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
| extend msg_s = replace(@'(. Signature:).*','', msg_s)
| parse msg_s with * " was DNAT'ed to " NatDestination
| extend msg_s = replace(@"( was DNAT'ed to ).*",". Action: DNAT", msg_s)
// extract Threat Intellingence info, then remove it from further parsing
| parse msg_s with * ". ThreatIntel: " ThreatIntel
| extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)
// extract URL, then remove it from further parsing
| extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
| extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend 
    SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
    SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
    Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
    TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
    Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection),
    IDSSignatureID = tostring(IDSSignatureIDInt),
    IDSPriority = tostring(IDSPriorityInt)
| project TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| where Action == "Deny"
//| where Rule == "<YOURRULENAME>"
| order by TimeGenerated
| limit 100

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Venu Gopal Krishna VV 100 Reputation points

2023-06-14T09:08:25.1033333+00:00

Thanks @KapilAnanth ,

i really appreciate for your help on this, as we are new to this KQL can you please help us in providing some learning documents where we can do some research on the Azure KQL.

Thanks again for you help. appreciate it.
KapilAnanth 49,861 Reputation points Moderator

2023-06-14T09:12:03.7366667+00:00
@Venu Gopal Krishna VV

Sure , you can start from here : KQL Overview

The follow the next Steps in the same document

Tutorial: Learn common operators

Tutorial: Use aggregation functions

KQL quick reference

SQL to Kusto cheat sheet

Query best practices

Query data with T-SQL

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Share via

Azure Firewall logs Kusto Query and rules processing

1 answer

Your answer