Get hostname/domain name from IP in AzureNetworkAnalytics_CL log

Question

Get hostname/domain name from IP in AzureNetworkAnalytics_CL log

Paul Nerie 281

I'm trying to get the outbound bytes for each destination public IP. I have this query:

AzureNetworkAnalytics_CL
| where SubType_s == 'FlowLog'
and FlowDirection_s == 'O'
and FlowStatus_s == 'A'
and FlowType_s == "ExternalPublic"
| project
VM_s,
TimeProcessed_t,
DestinationIP = split(split(DestPublicIPs_s, ' ')[0], '|')[0],
OutboundBytes = toint(split(split(DestPublicIPs_s, ' ')[0], '|')[5])

Is there a way to get the hostname or domain name of the IP address?

Thanks in advance!

Accepted answer

0 additional answers

Your answer

Answer 1

bharathn-msft 5,106 Microsoft Employee Moderator

<<Sharing the information from comments here for broader community usage.>>

Thank you @Paul Nerie for reaching out with your query.

As per current documentation on Public IP details Schema only for Malicious IP, it provides DNS domain, threat type and thread descriptions as identified by Microsoft security intelligence solutions

For additional details on the Traffic Analytics Schema, please refer this document.

Hope the above information helps, please let us know if you have any further queries.

Paul Nerie 281 Reputation points

2021-08-02T02:51:32.617+00:00

Thank you for the info.

There is no function in the query editor or KQL to lookup the DNS? I realize it can slow down the query if this is possible though.
bharathn-msft 5,106 Reputation points Microsoft Employee Moderator

2021-08-02T05:45:15.917+00:00

Thank you @Paul Nerie , unfortunately there is no out of box function with in log Analytics workspace or the context of logs or KQL which would help you to lookup the DNS.

One possible way I could think of writing some custom code to send IP to DNS mapping (provided you can query DNS servers or any 3rd party to get this mapping) as custom log to log analytics workspace and then when you write your query to join both the custom log table and AzureNetworkAnalytics_CL to get the output you need.

Please see if this Data Collector API works to send custom logs to Log Analytics workspace.

Hope the above information helps, please do revert back if you have any further queries on generating custom logs.
Paul Nerie 281 Reputation points

2021-08-02T06:00:29.11+00:00

Thanks again!

I'm very new to this and queries beyond the most basic, simplest ones are currently beyond me, but that's another story.

If I may ask, is the bytes sent data returned by the query cumulative per public IP, for the the period specified? Like:
VM-1, x.x.x.x, 10000

Is it per request?
VM-1, x.x.x.x, 5000
VM-1, x.x.x.x, 5000

Or is it cumulative per time processed?
bharathn-msft 5,106 Reputation points Microsoft Employee Moderator

2021-08-03T02:14:20.843+00:00

Thank you @Paul Nerie for your response. Glad to hear that you are trying out Azure services , please continue to reach out to us via Microsoft Q&A , so that our team or our Community members will be glad to help in any way possible to answer any queries you might have.

Please do accept the answer if you think it helped you, so that it would be beneficial to other customers in the community viewing this thread.

Regarding your query on bytes being sent, can you please help confirm are you referring to below fields ?

InboundBytes_d , OutboundBytes_d

Looking forward to hear back from you, so that we can further help you.
Paul Nerie 281 Reputation points

2021-08-03T05:29:20.427+00:00

Yes, I am referring to those fields.

Thanks again!
bharathn-msft 5,106 Reputation points Microsoft Employee Moderator

2021-08-03T05:58:06.527+00:00

Thanks @Paul Nerie , to my understanding the bytes for those fields is pertaining to each request from source to destination or vice versa . However I am checking internally with few contacts to confirm the same. Will keep you updated as I hear more information.
Paul Nerie 281 Reputation points

2021-08-03T06:01:40.637+00:00

Thank you very much!
bharathn-msft 5,106 Reputation points Microsoft Employee Moderator

2021-08-03T18:19:11.32+00:00

@Paul Nerie Post validation with few other folks internally, it has been called out that the bytes you see is as per request only.

Hope this information helps and please feel free to revert back if you have any additional queries or feel free to create new questions/post with in Microsoft Q&A so that our team or community members can help answer your queries.
Paul Nerie 281 Reputation points

2021-08-04T00:45:54.87+00:00

Thanks! You have been most helpful.

I'll create new posts if I have other questions.

Share via

Get hostname/domain name from IP in AzureNetworkAnalytics_CL log

0 additional answers

Your answer