📌  相关文章
📜  Microsoft Azure – 使用 KQL 生成 TimeGenerated 的防火墙网络流日志

📅  最后修改于: 2022-05-13 01:57:42.259000             🧑  作者: Mango

Microsoft Azure – 使用 KQL 生成 TimeGenerated 的防火墙网络流日志

在这里,在本文中,我们将使用azure kql 日志查询通过在查询中使用TimeGenerated设置时间来获取流过的 azure 网络流日志流量。我们将研究几个不同的例子,以及我们如何使用它们来过滤结果。

KQL 查询示例 1:

通过投影网络流日志的 TimeGenerated、Protocol、SourceIP、Target、Action 和 Complete 显示消息来查找最近 12 小时的入站和出站的 Azure 网络日志。 

AzureDiagnostics
| where TimeGenerated > ago(12h)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, Protocol, SourceIP, Target, Action, Complete_MSG=msg_s

输出:

KQL 查询示例 2:

通过投影网络流日志的 TimeGenerated、Protocol、SourceIP、Target、Action 和 Complete 显示消息来查找最近 5 分钟的 Inbound 和 Outbound 的 Azure 网络日志。 

AzureDiagnostics
| where TimeGenerated > ago(5m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

输出:

KQL 查询示例 3:

通过投影网络流日志的 TimeGenerated、Protocol、SourceIP、Target、Action 和 Complete 显示消息来查找最近 7 天的入站和出站的 Azure 网络日志。 

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

输出:

KQL 查询示例 4:

使用 between 关键字查找 Inbound 和 Outbound 的 Azure 网络日志,并投射网络流日志的 TimeGenerated、Protocol、SourceIP、Target、Action 和 Complete 显示消息。 

AzureDiagnostics
| where TimeGenerated between(datetime("2022-01-05 00:00:00") .. datetime("2022-01-08 12:00:00"))
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| project TimeGenerated, SourceIP, Target, Action, msg_s

输出: