Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL

Hyago Santana Mariano 20 Reputation points
2024-11-07T14:16:55.0666667+00:00

Hello, community!

I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed.

Here’s what I’ve tried so far, without success:

  • Querying the AzureActivity table to locate edit events.
  • Checking the AzureDiagnostics table.
  • Running queries for Microsoft.Network/azureFirewalls/write events with KQL.

Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall?

Thanks in advance for any assistance!User's image

User's image

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
680 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
93 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.