The traffic analytics schema was updated on August 22, 2019. The URL with placeholders is as follows: analytics schema The previous query constructs a URL to access the blob directly. | project-away nsgId, saName, binTime, blobTime, nsgComponents, dateTimeComponents "/y=", dateTimeComponents, "/m=", dateTimeComponents, "/d=", dateTimeComponents, "/h=", dateTimeComponents, "/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/", nsgComponents, | extend BlobPath = strcat(" nsgComponents, | extend nsgComponents = split(toupper(NSGList_s), "/"), dateTimeComponents = split(blobTime, " ") | extend blobTime = format_datetime(todatetime(FlowIntervalStartTime_t), "yyyy MM dd hh") ) on binTime, $left.nsgId = $right.NSGList_s | extend binTime = bin(FlowEndTime_t, 6h) | extend saName = iif(arraylength(saNameSplit) = 3, saNameSplit, '') SaNameSplit = split(FlowLogStorageAccount_s, "/") NsgId = strcat(Subscription_g, "/", Name_s), | extend binTime = bin(TimeProcessed_t, 6h), | where SubType_s = "Topology" and ResourceType = "NetworkSecurityGroup" and DiscoveryRegion_s = Region_s and IsFlowEnabled_b To view the blob path for the flows in the previous query, use the following query: let TableWithBlobId = | where SubType_s = "FlowLog" and FlowStartTime_t >= ago(30d) and FlowType_s = "ExternalPublic" The following query helps you look at all subnets interacting with non-Azure public IPs in the last 30 days. The total flow count for that record matches the individual flows seen in the blob. To see all the flows, use the blob_id field, which can be referenced from storage.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |