Hello, community! I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed. Here’s what I’ve tried so far, without success: Querying the AzureActivity table to locate edit events. Checking the AzureDiagnostics table. Running queries for Microsoft.Network/azureFirewalls/write events with KQL. Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall? Thanks in advance for any assistance!

Hi Hyago Santana Mariano , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. When you are trying to query logs such as activity logs from log analytics workspace, the queries don't return the results. Kindly note you need to enable diagnostic settings for activity logs to send to logs to log analytics workspace. To enable diagnostic logs for Activity logs: Go to any resource -> Click on Activity Log Tab on left pane -> Click on Export Activity Logs -> Click on "Add Diagnostic Settings" link -> Enter the diagnostic name, Select the Logs, choose the log analytic workspace where you want to query your data. For more information, check this document . Then I run this query: AzureActivity | where OperationNameValue =~ "microsoft.network/azurefirewalls/write" | where ActivityStatusValue =~ "Start" By using the above command in the request body, we can identify which rule needs to be changed and view the specific details. Go to the Properties->>request body ->> properties. Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL

Hyago Santana Mariano 20

Hello, community!

I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed.

Here’s what I’ve tried so far, without success:

Querying the AzureActivity table to locate edit events.
Checking the AzureDiagnostics table.
Running queries for Microsoft.Network/azureFirewalls/write events with KQL.

Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall?

Thanks in advance for any assistance! User's image

User's image

Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-07T23:33:46.27+00:00
Hi Hyago Santana Mariano,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that which rules are updated in the firewall

From log analytics AzureActivity log table will get the above information. Try to query data where OperationName column value is Creates or updates an Azure Firewall or OperationNameValue column value is Microsoft.Network/azureFirewalls/write.

Try this below command:

AzureActivity | where OperationName == 'Creates or updates an Azure Firewall'

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hyago Santana Mariano 20 Reputation points

2024-11-08T12:23:59.51+00:00

It doesn't return any results. But I'm sure there are logs in the selected range.
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-13T20:32:11.8833333+00:00
Hi Hyago Santana Mariano,

sorry for the late response.

I recreate this and i followed these steps
When you are trying to query logs such as activity logs from log analytics workspace, the queries don't return the results. Kindly note you need to enable diagnostic settings for activity logs to send to logs to log analytics workspace.

To enable diagnostic logs for Activity logs: Go to any resource -> Click on Activity Log Tab on left pane -> Click on Export Activity Logs -> Click on "Add Diagnostic Settings" link -> Enter the diagnostic name, Select the Logs, choose the log analytic workspace where you want to query your data. For more information, check this document.

Then I run this query:

AzureActivity | where OperationNameValue =~ "microsoft.network/azurefirewalls/write"

I successfully get results

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,
Rohith
Hyago Santana Mariano 20 Reputation points

2024-11-13T22:33:44.56+00:00

I can get results using this KQL like the print you sent me. But I don't have a place in any column or row that tells me which firewall rule I changed. Can you see it?
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-13T23:58:21.21+00:00
Hi Hyago Santana Mariano,

AzureActivity | where OperationNameValue =~ "microsoft.network/azurefirewalls/write" | where ActivityStatusValue =~ "Start"

By using the above command in the request body, we can identify which rule needs to be changed and view the specific details.

Go to the Properties->>request body ->> properties.

Thanks,
Rohith
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-14T23:14:36.6566667+00:00

Hi Hyago Santana Mariano,

Greetings of the day!!

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.

Thanks,

Rohith
Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-15T19:07:16.6333333+00:00

Hi Hyago Santana Mariano,

Greetings of the day!!

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.

Thanks,

Rohith

1 answer

Rohith Vinnakota 1,240 Reputation points Microsoft Vendor

2024-11-18T19:39:37.2666667+00:00
Hi Hyago Santana Mariano,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When you are trying to query logs such as activity logs from log analytics workspace, the queries don't return the results. Kindly note you need to enable diagnostic settings for activity logs to send to logs to log analytics workspace.

To enable diagnostic logs for Activity logs: Go to any resource -> Click on Activity Log Tab on left pane -> Click on Export Activity Logs -> Click on "Add Diagnostic Settings" link -> Enter the diagnostic name, Select the Logs, choose the log analytic workspace where you want to query your data. For more information, check this document.

Then I run this query:

AzureActivity | where OperationNameValue =~ "microsoft.network/azurefirewalls/write" | where ActivityStatusValue =~ "Start"

By using the above command in the request body, we can identify which rule needs to be changed and view the specific details.

Go to the Properties->>request body ->> properties.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL

1 answer

Your answer