Table: azure_network_watcher_flow_log - Query Azure Network Watcher Flow Logs using SQL

Azure Network Watcher Flow Logs is a feature within Microsoft Azure that enables capturing information about IP traffic flowing to, and from, Network Security Groups present in Azure Virtual Networks. It allows network troubleshooting, provides visibility into network activity, and maintains compliance by logging network traffic. This feature is critical to understand the access and traffic patterns of Azure resources.

Table Usage Guide

The azure_network_watcher_flow_log table provides insights into the network traffic patterns within Azure Network Watcher. As a Network Administrator, explore traffic-specific details through this table, including source and destination IP addresses, traffic flow direction, and traffic volume. Utilize it to uncover information about traffic patterns, such as peak traffic times, most accessed resources, and potential network anomalies.

Examples

Basic info

Determine the areas in which Azure Network Watcher's flow logs are enabled to gain insights into your network traffic patterns and trends. This allows you to assess the elements within your network for better security and performance management.

select
  name,
  enabled,
  network_watcher_name,
  target_resource_id
from
  azure_network_watcher_flow_log;

select
  name,
  enabled,
  network_watcher_name,
  target_resource_id
from
  azure_network_watcher_flow_log;

List disabled flow logs

Explore which of the network traffic monitoring tools in your Azure environment are currently inactive. This is useful for ensuring all necessary flow logs are enabled for optimal security and performance monitoring.

select
  name,
  id,
  region,
  enabled
from
  azure_network_watcher_flow_log
where
  not enabled;

select
  name,
  id,
  region,
  enabled
from
  azure_network_watcher_flow_log
where
  enabled = 0;

List flow logs with a retention period less than 90 days

Analyze the settings of Azure Network Watcher flow logs to identify instances where the logs are enabled and have a retention period of less than 90 days. This can be useful for ensuring compliance with data retention policies and managing storage costs.

select
  name,
  region,
  enabled,
  retention_policy_days
from
  azure_network_watcher_flow_log
where
  enabled
  and retention_policy_days < 90;

select
  name,
  region,
  enabled,
  retention_policy_days
from
  azure_network_watcher_flow_log
where
  enabled = 1
  and retention_policy_days < 90;

Get storage account details for each flow log

Determine the areas in which Azure Network Watcher's flow logs are stored and the types of files they contain. This is beneficial for understanding the storage distribution and file types involved in your network monitoring processes.

select
  name,
  file_type,
  storage_id
from
  azure_network_watcher_flow_log;

select
  name,
  file_type,
  storage_id
from
  azure_network_watcher_flow_log;

Query examples

security_group_flow_logs

Control examples

Schema for azure_network_watcher_flow_log

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
cloud_environment	text		The Azure Cloud Environment.
enabled	boolean		Indicates whether the flow log is enabled, or not.
etag	text		An unique read-only string that changes whenever the resource is updated.
file_type	text		The file type of flow log. Possible values include: 'JSON'.
id	text		Contains ID to identify a flow log uniquely.
name	text	=	The friendly name that identifies the flow log.
network_watcher_name	text	=	The friendly name that identifies the network watcher.
provisioning_state	text		The provisioning state of the flow log.
region	text		The Azure region/location in which the resource is located.
resource_group	text	=	The resource group which holds this resource.
retention_policy_days	bigint		Specifies the number of days to retain flow log records.
retention_policy_enabled	boolean		Indicates whether flow log retention is enabled, or not.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
storage_id	text		The ID of the storage account which is used to store the flow log.
subscription_id	text	=, !=, ~~, ~~, !~~, !~~	The Azure Subscription ID in which the resource is located.
tags	jsonb		A map of tags for the resource.
target_resource_guid	text		The Guid of network security group to which flow log will be applied.
target_resource_id	text		The ID of network security group to which flow log will be applied.
title	text		Title of the resource.
traffic_analytics	jsonb		Defines the configuration of flow log traffic analytics.
type	text		The resource type of the flow log.
version	bigint		The version (revision) of the flow log.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_network_watcher_flow_log