by ezs | Nov 28, 2023 | evilzenscientist
If you’ve worked with Azure for any real length of time, there are limitations to what is stored in the Azure Activity Log – both in terms of content and retention.
The solution is to send Azure logs to a Log Analytics Workspace, and retain that for as long as you needed.
Today I needed to dig into an event that occured back in the summer, featuring Bastion. A simple Kusto query with the date range and searchable text got me results in a few moments. Some display filtering of the correct columns got me to a happy place.
// Log Analyics query
search “BastionHost” // search is case-insensitive
| where TimeGenerated between (datetime(2023-06-01) .. datetime(2023-06-15)) // date ranges
| project TimeGenerated, Caller, CorrelationId, SubscriptionId, ResourceGroup, OperationNameValue, Properties_d.resource, ActivityStatusValue
// just show the columns we care about (comment the entire line if you want all)
by ezs | Jun 1, 2023 | evilzenscientist
Another one, again demonstrating the use of extend and mv-expand to pull out the multi-valued array.
resources
| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId
| where type == “microsoft.network/virtualnetworks”
| extend vnetCount =array_length(properties.addressSpace.addressPrefixes)
| mv-expand vnet = properties.addressSpace.addressPrefixes
| project SubName, resourceGroup, name, vnetCount, vnet
| order by tostring(vnet) asc
by ezs | Mar 17, 2021 | evilzenscientist
You can tell where I’ve been working by the Kusto queries against Azure Resource Graph that I leave behind.
All Azure VNets and subnets, with subnet details:
// get all Azure VNETS and SUBNETS with associated subnets
resources
| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId
| where type == “microsoft.network/virtualnetworks”
| mv-expand subs=properties.subnets
| extend subnetname = subs.name
| extend subnetprefix= subs.properties.addressPrefix
| extend vnetprefix = substring(tostring(properties.addressSpace.addressPrefixes),2,strlen(tostring(properties.addressSpace.addressPrefixes))-4)
| project SubName, resourceGroup, name, vnetprefix, subnetname, subnetprefix
| sort by SubName, resourceGroup asc, name
This one for pulling back network security groups and metadata (this was originally at Thomas Balkeståhl’s blog) – tidied up:
Resources
| where type =~ “microsoft.network/networksecuritygroups”
| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId
| mv-expand rules=properties.securityRules
| extend direction = tostring(rules.properties.direction)
| extend priority = toint(rules.properties.priority)
| extend description = rules.properties.description
| extend destprefix = rules.properties.destinationAddressPrefix
| extend destport = rules.properties.destinationPortRange
| extend sourceprefix = rules.properties.sourceAddressPrefix
| extend sourceport = rules.properties.sourcePortRange
| extend subnet_name = split((split(tostring(properties.subnets), ‘/’))[10], ‘”‘)[0]
| project SubName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description
| sort by SubName, resourceGroup asc, name, direction asc, priority asc
by ezs | Mar 1, 2021 | evilzenscientist
“The get everything about virtual machines” script.
This brings back pretty much everything – sub second queries. Far, far easier than the old methods using PowerShell.
Resources
| where type =~ ‘microsoft.compute/virtualmachines’
| extend nics=array_length(properties.networkProfile.networkInterfaces)
| mv-expand nic=properties.networkProfile.networkInterfaces
| where nics == 1 or nic.properties.primary =~ ‘true’ or isempty(nic)
| project subscriptionId, resourceGroup, vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id),location, tags.itowner, tags.businessowner, tags.application, tags.costcenter, tags.supportgroup, tags.[‘project’], powerstate=properties.extended.instanceView.powerState.displayStatus, os=properties.storageProfile.osDisk.osType, sku=properties.storageProfile.imageReference.sku
| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId
| join kind=leftouter (
Resources
| where type =~ ‘microsoft.network/networkinterfaces’
| extend ipConfigsCount=array_length(properties.ipConfigurations)
| mv-expand ipconfig=properties.ipConfigurations
| where ipConfigsCount == 1 or ipconfig.properties.primary =~ ‘true’
| project nicId = id, privIP = tostring(ipconfig.properties.privateIPAddress)) on nicId
| project-away subscriptionId, subscriptionId1, vmId, nicId, nicId1
Recent Comments