KQL Notebook | Network Security Groups (NSG)

March 16, 2025

KQL | Network Security Group

Network Security Group logs can be configured to use NSG flow logs or virtual network flow logs.

Traffic analytics from the (network watcher resource) is required regardless of the type of log you are using to ingest the logs into Log Analytics. Ingestion into log Log Analytics is either every 60 minutes or every 10 minutes. More frequent ingestion will incur additional cost however it will provide more up-to-date logs which is helpful during debugging.

Flow Logs

Virtual Network Flow Logs

This query uses summarize to group flows together which can reduce the amount of noise in logs. You can apply the filters before or after the summarize. My preference is to filter before.

NTANetAnalytics 
// << Filters >>
| summarize Count = count() by SourceSubnet = tostring(split(SrcSubnet, '/')[2]), SourceVM = tostring(split(SrcVm, '/')[1]), SourceIp = SrcIp, DestinationIp = DestIp, DestinationPort = DestPort, DestinationL4Protocol = L4Protocol, Action = FlowStatus

NSG Flow Logs

This query uses summarize to group flows together which can reduce the amount of noise in logs. You can apply the filters before or after the summarize. My preference is to filter before.

AzureNetworkAnalytics_CL
// << Filters >>
| summarize Count = count() by SourceIp = SrcIP_s, DestinationIp = DestIP_s, DestinationPort = DestPort_d, Direction = FlowDirection_s, Action = FlowStatus_s