steampipe plugin install azure

Table: azure_network_watcher_flow_log - Query Azure Network Watcher Flow Logs using SQL

Azure Network Watcher Flow Logs is a feature within Microsoft Azure that enables capturing information about IP traffic flowing to, and from, Network Security Groups present in Azure Virtual Networks. It allows network troubleshooting, provides visibility into network activity, and maintains compliance by logging network traffic. This feature is critical to understand the access and traffic patterns of Azure resources.

Table Usage Guide

The azure_network_watcher_flow_log table provides insights into the network traffic patterns within Azure Network Watcher. As a Network Administrator, explore traffic-specific details through this table, including source and destination IP addresses, traffic flow direction, and traffic volume. Utilize it to uncover information about traffic patterns, such as peak traffic times, most accessed resources, and potential network anomalies.

Examples

Basic info

Determine the areas in which Azure Network Watcher's flow logs are enabled to gain insights into your network traffic patterns and trends. This allows you to assess the elements within your network for better security and performance management.

select
name,
enabled,
network_watcher_name,
target_resource_id
from
azure_network_watcher_flow_log;
select
name,
enabled,
network_watcher_name,
target_resource_id
from
azure_network_watcher_flow_log;

List disabled flow logs

Explore which of the network traffic monitoring tools in your Azure environment are currently inactive. This is useful for ensuring all necessary flow logs are enabled for optimal security and performance monitoring.

select
name,
id,
region,
enabled
from
azure_network_watcher_flow_log
where
not enabled;
select
name,
id,
region,
enabled
from
azure_network_watcher_flow_log
where
enabled = 0;

List flow logs with a retention period less than 90 days

Analyze the settings of Azure Network Watcher flow logs to identify instances where the logs are enabled and have a retention period of less than 90 days. This can be useful for ensuring compliance with data retention policies and managing storage costs.

select
name,
region,
enabled,
retention_policy_days
from
azure_network_watcher_flow_log
where
enabled
and retention_policy_days < 90;
select
name,
region,
enabled,
retention_policy_days
from
azure_network_watcher_flow_log
where
enabled = 1
and retention_policy_days < 90;

Get storage account details for each flow log

Determine the areas in which Azure Network Watcher's flow logs are stored and the types of files they contain. This is beneficial for understanding the storage distribution and file types involved in your network monitoring processes.

select
name,
file_type,
storage_id
from
azure_network_watcher_flow_log;
select
name,
file_type,
storage_id
from
azure_network_watcher_flow_log;

Schema for azure_network_watcher_flow_log

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
enabledbooleanIndicates whether the flow log is enabled, or not.
etagtextAn unique read-only string that changes whenever the resource is updated.
file_typetextThe file type of flow log. Possible values include: 'JSON'.
idtextContains ID to identify a flow log uniquely.
nametext=The friendly name that identifies the flow log.
network_watcher_nametext=The friendly name that identifies the network watcher.
provisioning_statetextThe provisioning state of the flow log.
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
retention_policy_daysbigintSpecifies the number of days to retain flow log records.
retention_policy_enabledbooleanIndicates whether flow log retention is enabled, or not.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
storage_idtextThe ID of the storage account which is used to store the flow log.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
target_resource_guidtextThe Guid of network security group to which flow log will be applied.
target_resource_idtextThe ID of network security group to which flow log will be applied.
titletextTitle of the resource.
traffic_analyticsjsonbDefines the configuration of flow log traffic analytics.
typetextThe resource type of the flow log.
versionbigintThe version (revision) of the flow log.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_network_watcher_flow_log