question

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 asked PaulNerie-9756 commented

Get hostname/domain name from IP in AzureNetworkAnalytics_CL log

I'm trying to get the outbound bytes for each destination public IP. I have this query:

AzureNetworkAnalytics_CL
| where SubType_s == 'FlowLog'
and FlowDirection_s == 'O'
and FlowStatus_s == 'A'
and FlowType_s == "ExternalPublic"
| project
VM_s,
TimeProcessed_t,
DestinationIP = split(split(DestPublicIPs_s, ' ')[0], '|')[0],
OutboundBytes = toint(split(split(DestPublicIPs_s, ' ')[0], '|')[5])

Is there a way to get the hostname or domain name of the IP address?

Thanks in advance!

azure-monitor
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

bharathn-msft avatar image
0 Votes"
bharathn-msft answered PaulNerie-9756 commented

<<Sharing the information from comments here for broader community usage.>>

Thank you @PaulNerie-9756 for reaching out with your query.

As per current documentation on Public IP details Schema only for Malicious IP, it provides DNS domain, threat type and thread descriptions as identified by Microsoft security intelligence solutions

For additional details on the Traffic Analytics Schema, please refer this document.

Hope the above information helps, please let us know if you have any further queries.

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the info.

There is no function in the query editor or KQL to lookup the DNS? I realize it can slow down the query if this is possible though.

0 Votes 0 ·

Thank you @PaulNerie-9756 , unfortunately there is no out of box function with in log Analytics workspace or the context of logs or KQL which would help you to lookup the DNS.

One possible way I could think of writing some custom code to send IP to DNS mapping (provided you can query DNS servers or any 3rd party to get this mapping) as custom log to log analytics workspace and then when you write your query to join both the custom log table and AzureNetworkAnalytics_CL to get the output you need.

Please see if this Data Collector API works to send custom logs to Log Analytics workspace.

Hope the above information helps, please do revert back if you have any further queries on generating custom logs.

0 Votes 0 ·

Thanks again!

I'm very new to this and queries beyond the most basic, simplest ones are currently beyond me, but that's another story.

If I may ask, is the bytes sent data returned by the query cumulative per public IP, for the the period specified? Like:
VM-1, x.x.x.x, 10000

Is it per request?
VM-1, x.x.x.x, 5000
VM-1, x.x.x.x, 5000

Or is it cumulative per time processed?

0 Votes 0 ·
Show more comments