Azure Firewall Log Analytics
Updated: 2024-04-14
Published: 2023-11-29
Intro
This is a quick post on how to query Azure Firewall logs using Kusto Query Language (KQL). It's not a deep dive into KQL, but rather a quick reference of useful queries for future Brad.
Pre-Canned Queries
KQL queries can get pretty crazy. There are some pre-canned queries that are usefull for getting started. I ususally start with one of these, and add parameters to the bottom of the query. Some examples below:
Network Rule Logs
All (Application, Network, DNS, ETC..), Logs
To find denied traffic between a source and destination IP address I found adding the following to the bottom of the pre-canned Network rule log data query useful:
IP Based Queries
Depending on which pre-canned query you selected, the query will look something like the below.
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
// Existing Query
// ..
// Add Query parameters hereThe following 3 queries produce the same result.
| where (SourceIP == "10.1.1.24" or SourceIP == "10.1.1.25")
| where Target == "10.2.1.100"
| where TargetPort == 3389
| where Action == "Deny"
| limit 100| where SourceIP in ("10.1.1.24", "10.1.1.25")
| where Target == "10.2.1.100"
| where TargetPort == 3389
| where Action == "Deny"
| limit 100| where (SourceIP == "10.1.1.24" or SourceIP == "10.1.1.25") and Target == "10.2.1.100" and TargetPort == 3389 and Action == "Deny"
| limit 100Time Based Queries
Specify the query time range.
| where TimeGenerated between(datetime(2025-04-10T00:00:00) .. datetime(2025-04-11T23:59:59))Outro
As time goes on, I'll add more queries to this post.