Azure/KqlKustoLogs/NetworkFlowLogs

Enable the Azure flow logs for the VNET
Example 2025-05-01

let TopFlows = NTANetAnalytics
| where ( SrcIp !startswith_cs "10.18.") or ( DestIp !startswith_cs "10.18.")
| project TimeGenerated, Ip = strcat(SrcIp, "__to__", DestIp), Role = "Src", Bytes = BytesSrcToDest
| union (
    NTANetAnalytics
    | where ( SrcIp !startswith_cs "10.18.") or ( DestIp !startswith_cs "10.18.")
    | project TimeGenerated, Ip = strcat(DestIp, "__back__", SrcIp), Role = "Dest", Bytes = BytesDestToSrc
)
| summarize TotalBytes = sum(Bytes) by Ip
| top 10 by TotalBytes;
//
NTANetAnalytics
| project TimeGenerated, Ip = strcat(SrcIp, "__to__", DestIp), Role = "Src", Bytes = BytesSrcToDest
| union (
    NTANetAnalytics
    | project TimeGenerated, Ip = strcat(DestIp, "__back__", SrcIp), Role = "Dest", Bytes = BytesDestToSrc
)
| where Ip in (TopFlows)
//| extend DestPort_s = tostring(DestPort)
| summarize Mbps = sum(Bytes)/1024/1024/5/60*8 by bin(TimeGenerated, 5m), Ip
| render timechart

Azure/KqlKustoLogs/NetworkFlowLogs (last edited 2025-05-01 05:22:31 by PieterSmit)