Log Analytics Query for Azure Network Security Group

The Kusto query language used by Azure Monitor is case-sensitive. Language keywords are usually written in lower case. When using names of tables or columns in a query we have to make sure to use the correct case.

In order to track the incoming and outgoing traffic flow on azure network security group, we have to follow underlined steps;

  1. Integrate log analytics workspace with network security group.

2. Once the NSG is integrated with log analytics workspace, now we can run the query for tracing the traffic flow.

3. To Track All Denied Traffic on the NSG you can run the underneath query on log analytics workspace;

AzureNetworkAnalytics_CL| extend NSGRuleAction=split(NSGRules_s,’|’,3)[0]| extend NSGRuleName=tostring(split(NSGRules_s,’|’,1)[0])| extend NSGName=tostring(split(NSGList_s,’/’,2)[0])| where NSGRuleAction == “D” | summarize count() by SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s

4. To Track the Incoming Denied Traffic on the NSG you can run the underneath query on log analytics workspace;

AzureNetworkAnalytics_CL|where SubType_s == “FlowLog”|where NSGList_s contains “<NSG-Name>”|project TimeGenerated, FlowIntervalStartTime_t, FlowIntervalEndTime_t, FlowStartTime_t, FlowEndTime_t, FlowType_s, SrcIP_s, DestIP_s, VMIP_s, DestPort_d, L4Protocol_s, L7Protocol_s, NSGList_s, Subnet_s, DeniedInFlows_d

5. To Track the Outgoing Denied Traffic on the NSG you can run the underneath query on log analytics workspace;

AzureNetworkAnalytics_CL|where SubType_s == “FlowLog”|where NSGList_s contains “<NSG-Name>”|project TimeGenerated, FlowIntervalStartTime_t, FlowIntervalEndTime_t, FlowStartTime_t, FlowEndTime_t, FlowType_s, SrcIP_s, DestIP_s, VMIP_s, DestPort_d, L4Protocol_s, L7Protocol_s, NSGList_s, Subnet_s, DeniedOutFlows_d

In order to learn more on the KQL (Kusto Query Language) I request you to view this video by Tim Warner…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vijay Borkar (VBCloudboy)

I am highly skilled Ent. Solution Architect with a strong background in systems integration and a passion for delivering solutions that drive business success.