top of page
Writer's pictureRoland Lucas

Inspecting Azure Firewall Logs with KQL

I've recently spent some time looking at Azure firewalls troubleshooting traffic routes which requires the use of KQL queries. The Azure Firewall Workbook is great for seeing overall trends but if you want to dive into specific rules then writing your own query is the way to go. In my experience Googling and asking Copilot for help on creating queries only seemed to get me so far so I wanted to share my learnings and cover the main things you might want to inspect.



When inspecting traffic I'm generally interested in a subset of fields which I've included in the default query. This includes changing the name of the columns so they are a bit more readable e.g. SourceIp rather than AdditionalFields.SourceIp. If you comment out the "project" statement then this will return all available fields with their standard names. Below are the fields I've included:

  1. Time generated

  2. Action (allow, block)

  3. Action reason (e.g. No rule matched, proceeding with default action)

  4. Source IP

  5. Source port

  6. Destination IP (if it's an IP)

  7. Destination port

  8. Destination FQDN (if it's an FQDN)

  9. Rule (the rule hit)

  10. Rule Category (e.g. Application rule, Network etc.)


I've also included some common ways to filter on say IP, you can specify a single address, multiple addresses or a CIDR range.


How to use the code

Navigate to your Azure Firewall instance and select "Logs" under the "Monitoring" heading to get to the Log Analytics query pane. Copy the code and uncomment the lines you want to be active by removing the "//" from the start of the line.


Note: I've not had a need to check IPv6 addresses so haven't added those


Hope this helps someone!




2 views0 comments

Comments


bottom of page