Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
680 questions
Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 60%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hyago Santana Mariano
20
Reputation points
Hello, community!
I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a JSON indicating that an edit happened), but I'm unable to find any detailed information on which rule was actually modified or what exactly was changed.
Here’s what I’ve tried so far, without success:
- Querying the AzureActivity table to locate edit events.
- Checking the AzureDiagnostics table.
- Running queries for Microsoft.Network/azureFirewalls/write events with KQL.
Despite these attempts, I haven't been able to pinpoint logs that specify which rules were altered. Has anyone experienced this or have any insights on how to get more detailed logs about specific rule changes in Azure Firewall?
Thanks in advance for any assistance!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Rohith Vinnakota 1,085 Reputation points Microsoft Vendor2024-11-07T23:33:46.27+00:00 Hi Hyago Santana Mariano,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.I understand that which rules are updated in the firewall
From log analytics
AzureActivitylog table will get the above information. Try to query data whereOperationNamecolumn value isCreates or updates an Azure FirewallorOperationNameValuecolumn value isMicrosoft.Network/azureFirewalls/write.Try this below command:
AzureActivity | where OperationName == 'Creates or updates an Azure Firewall'Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment
Sign in to answer