Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL

Hyago Santana Mariano 20 Reputation points
2024-11-07T14:16:55.0666667+00:00

Hello, community!

I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed.

Here’s what I’ve tried so far, without success:

  • Querying the AzureActivity table to locate edit events.
  • Checking the AzureDiagnostics table.
  • Running queries for Microsoft.Network/azureFirewalls/write events with KQL.

Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall?

Thanks in advance for any assistance!User's image

User's image

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
685 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
95 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,172 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Rohith Vinnakota 1,240 Reputation points Microsoft Vendor
    2024-11-18T19:39:37.2666667+00:00

    Hi Hyago Santana Mariano,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    When you are trying to query logs such as activity logs from log analytics workspace, the queries don't return the results. Kindly note you need to enable diagnostic settings for activity logs to send to logs to log analytics workspace.

    To enable diagnostic logs for Activity logs: Go to any resource -> Click on Activity Log Tab on left pane -> Click on Export Activity Logs -> Click on "Add Diagnostic Settings" link -> Enter the diagnostic name, Select the Logs, choose the log analytic workspace where you want to query your data. For more information, check this document.

    Then I run this query:

    AzureActivity 
    | where OperationNameValue =~ "microsoft.network/azurefirewalls/write" 
    | where ActivityStatusValue =~ "Start"
    

    By using the above command in the request body, we can identify which rule needs to be changed and view the specific details.

    Go to the Properties->>request body ->> properties.User's image


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.