Need to find Top talkers from Azure Firewall network Logs

Shramik Ghadigaonkar 0 Reputation points
2024-11-05T10:20:11.85+00:00

I want a KQL query and configuration settings which can give me Azure firewall network rule logs with column having details for SentBytes and received bytes details for each packet.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
695 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Sedat SALMAN 14,140 Reputation points MVP
    2024-11-05T10:33:12.6033333+00:00

    assuming you already configured Azure Firewall

    sending logs to Log Analytics Workspace

    the following may help to you

    AzureDiagnostics
    | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule"
    | summarize TotalSentBytes = sum(SentBytes), TotalReceivedBytes = sum(ReceivedBytes) by SourceIP
    | order by TotalSentBytes desc
    
    

  2. Wrillrous 0 Reputation points
    2024-11-05T10:42:46.5666667+00:00

    To get Azure Firewall network rule logs with SentBytes and ReceivedBytes details for each packet, you can use the following KQL query in Azure Log Analytics:

    AzureDiagnostics

    | where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule"

    | project TimeGenerated, SourceIP, DestinationIP, Protocol, Action, SentBytes, ReceivedBytes


  3. ChaitanyaNaykodi-MSFT 26,706 Reputation points Microsoft Employee
    2024-11-06T02:55:26.1366667+00:00

    @Shramik Ghadigaonkar Thank you for reaching out.

    In order to determine the top talkers in from Azure Firewall activating the top flow logs will be the way to go.

    https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference#top-flows

    The top flows log is known in the industry as fat flow log and in the preceding table as Azure Firewall Fat Flow Log. The top flows log shows the top connections that are contributing to the highest throughput through the firewall.

    Make sure you have enabled structured firewall logs in this case

    https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall#enable-structured-logs

    Enable the Top flows log using the following Azure PowerShell commands:

    Set-AzContext -SubscriptionName <SubscriptionName>
    $firewall = Get-AzFirewall -ResourceGroupName <ResourceGroupName> -Name <FirewallName>
    $firewall.EnableFatFlowLogging = $true
    Set-AzFirewall -AzureFirewall $firewall
    
    
    

    Note: Activate Top flows logs only when troubleshooting a specific issue to avoid excessive CPU usage of Azure Firewall.

    Please follow the documentation above for disabling the logs.

    You can find the sample query here
    https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/azfwfatflow

    // Get the fatflows from past 1000 samples with rate atleast 5 mbps
    AZFWFatFlow
    | take 1000
    | order by TimeGenerated desc
    | where FlowRate > 5
    
    

    This is list of columns available for this log
    https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwfatflow#columns

    Currently this log does not contain the SentBytes and received bytes details and if top flow logs do not satisfy your requirements it will help if you could file a feedback item for this request along with your business requirement. You can file this request here

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.