Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL
Hello, community!
I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed.
Here’s what I’ve tried so far, without success:
- Querying the AzureActivity table to locate edit events.
- Checking the AzureDiagnostics table.
- Running queries for Microsoft.Network/azureFirewalls/write events with KQL.
Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall?
Thanks in advance for any assistance!