Skip to content

Instantly share code, notes, and snippets.

View marknettle's full-sized avatar

Mark Nettle marknettle

1 follower · 1 following
View GitHub Profile
@marknettle
marknettle / azure_firewall.kusto
Created October 18, 2018 21:51
Kusto query to extract useful fields from Azure Firewall logs
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| extend
proto = extract(@"^([A-Z]+) ",1,msg_s)
,src_host = extract(@"request from ([\d\.]*)",1,msg_s)
,src_port = extract(@"request from [\d\.]*:(\d+)",1,msg_s)
,dest_host = extract(@" to ([-\w\.]+)(:|\. |\.$)",1,msg_s)
,dest_port = extract(@" to [-\w\.]+:(\d+)",1,msg_s)
,action = iif(
msg_s has "was denied"