Table: azure_network_watcher_flow_log - Query Azure Network Watcher Flow Logs using SQL
Azure Network Watcher Flow Logs is a feature within Microsoft Azure that enables capturing information about IP traffic flowing to, and from, Network Security Groups present in Azure Virtual Networks. It allows network troubleshooting, provides visibility into network activity, and maintains compliance by logging network traffic. This feature is critical to understand the access and traffic patterns of Azure resources.
Table Usage Guide
The azure_network_watcher_flow_log table provides insights into the network traffic patterns within Azure Network Watcher. As a Network Administrator, explore traffic-specific details through this table, including source and destination IP addresses, traffic flow direction, and traffic volume. Utilize it to uncover information about traffic patterns, such as peak traffic times, most accessed resources, and potential network anomalies.
Examples
Basic info
Determine the areas in which Azure Network Watcher's flow logs are enabled to gain insights into your network traffic patterns and trends. This allows you to assess the elements within your network for better security and performance management.
select name, enabled, network_watcher_name, target_resource_idfrom azure_network_watcher_flow_log;select name, enabled, network_watcher_name, target_resource_idfrom azure_network_watcher_flow_log;List disabled flow logs
Explore which of the network traffic monitoring tools in your Azure environment are currently inactive. This is useful for ensuring all necessary flow logs are enabled for optimal security and performance monitoring.
select name, id, region, enabledfrom azure_network_watcher_flow_logwhere not enabled;select name, id, region, enabledfrom azure_network_watcher_flow_logwhere enabled = 0;List flow logs with a retention period less than 90 days
Analyze the settings of Azure Network Watcher flow logs to identify instances where the logs are enabled and have a retention period of less than 90 days. This can be useful for ensuring compliance with data retention policies and managing storage costs.
select name, region, enabled, retention_policy_daysfrom azure_network_watcher_flow_logwhere enabled and retention_policy_days < 90;select name, region, enabled, retention_policy_daysfrom azure_network_watcher_flow_logwhere enabled = 1 and retention_policy_days < 90;Get storage account details for each flow log
Determine the areas in which Azure Network Watcher's flow logs are stored and the types of files they contain. This is beneficial for understanding the storage distribution and file types involved in your network monitoring processes.
select name, file_type, storage_idfrom azure_network_watcher_flow_log;select name, file_type, storage_idfrom azure_network_watcher_flow_log;Query examples
Control examples
- 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Schema for azure_network_watcher_flow_log
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| enabled | boolean | Indicates whether the flow log is enabled, or not. | |
| etag | text | An unique read-only string that changes whenever the resource is updated. | |
| file_type | text | The file type of flow log. Possible values include: 'JSON'. | |
| id | text | Contains ID to identify a flow log uniquely. | |
| name | text | = | The friendly name that identifies the flow log. |
| network_watcher_name | text | = | The friendly name that identifies the network watcher. |
| provisioning_state | text | The provisioning state of the flow log. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| retention_policy_days | bigint | Specifies the number of days to retain flow log records. | |
| retention_policy_enabled | boolean | Indicates whether flow log retention is enabled, or not. | |
| storage_id | text | The ID of the storage account which is used to store the flow log. | |
| subscription_id | text | The Azure Subscription ID in which the resource is located. | |
| tags | jsonb | A map of tags for the resource. | |
| target_resource_guid | text | The Guid of network security group to which flow log will be applied. | |
| target_resource_id | text | The ID of network security group to which flow log will be applied. | |
| title | text | Title of the resource. | |
| traffic_analytics | jsonb | Defines the configuration of flow log traffic analytics. | |
| type | text | The resource type of the flow log. | |
| version | bigint | The version (revision) of the flow log. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_network_watcher_flow_log