Log Analytics Query for Azure Network Security Group
The Kusto query language used by Azure Monitor is case-sensitive. Language keywords are usually written in lower case. When using names of tables or columns in a query we have to make sure to use the correct case.
In order to track the incoming and outgoing traffic flow on azure network security group, we have to follow underlined steps;
- Integrate log analytics workspace with network security group.
2. Once the NSG is integrated with log analytics workspace, now we can run the query for tracing the traffic flow.
3. To Track All Denied Traffic on the NSG you can run the underneath query on log analytics workspace;
AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,’|’,3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,’|’,1)[0])| extend NSGName=tostring(split(NSGList_s,’/’,2)[0])| where NSGRuleAction == “D” | summarize count() by SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s
4. To Track the Incoming Denied Traffic on the NSG you can run the underneath query on log analytics workspace;
AzureNetworkAnalytics_CL|where SubType_s == “FlowLog”|where NSGList_s contains “<NSG-Name>”|project TimeGenerated, FlowIntervalStartTime_t, FlowIntervalEndTime_t, FlowStartTime_t, FlowEndTime_t, FlowType_s, SrcIP_s, DestIP_s, VMIP_s, DestPort_d, L4Protocol_s, L7Protocol_s, NSGList_s, Subnet_s, DeniedInFlows_d
5. To Track the Outgoing Denied Traffic on the NSG you can run the underneath query on log analytics workspace;
AzureNetworkAnalytics_CL|where SubType_s == “FlowLog”|where NSGList_s contains “<NSG-Name>”|project TimeGenerated, FlowIntervalStartTime_t, FlowIntervalEndTime_t, FlowStartTime_t, FlowEndTime_t, FlowType_s, SrcIP_s, DestIP_s, VMIP_s, DestPort_d, L4Protocol_s, L7Protocol_s, NSGList_s, Subnet_s, DeniedOutFlows_d
In order to learn more on the KQL (Kusto Query Language) I request you to view this video by Tim Warner…