search

scautomation / Azure-Inventory-Workbook

The Ultimate Azure Inventory Dashboard
141 stars 93 forks source link

NSG with Flow Logs and Traffic Analytics #4

Closed maniaX1 closed 3 years ago

maniaX1 commented 3 years ago

Hello Billy, I tried this workbook and it is really cool!! When I tested all possibilities I noticed that in Network/Network Details was error on NSG tab: image Reason was that I haven't configured any Flow Logs yet in my LAB environment.

After I enabled Flow Logs on some NSG then record in "microsoft.network/networkwatchers/flowlogs" was created and all started to work. But anyway for the first time there was an error. I just wondered and tried to change that in original queries to display also Flow Logs status but without any chance :-(

Queries I used: Resources | where type =~ 'Microsoft.Network/networkWatchers/flowlogs' | extend provisioningState = parse_json(properties).provisioningState | extend status = parse_json(properties).enabled | extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId) | extend targetResourceId = iff(notempty(workspaceResourceId) and provisioningState == "Succeeded" and status == "true", tostring(parse_json(properties).targetResourceId), "null" ) | distinct targetResourceId

Resources | where type =~ 'microsoft.network/networksecuritygroups' | extend traficAnalysis = id in~ ({nsgWithflowLogs}) | extend flowLogs = properties.status in~ ({nsgWithflowLogs}) | project subscriptionId, ['Resource group'] = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), ['Network Security Group'] = id, ["Location"]=location, ["Flow Logs"]=flowLogs, ["Traffic Analytics"]=traficAnalysis

But result is this one: image

There should be true instead of zeroes. Any idea? Thank you!

JamesDLD commented 3 years ago

Hi @maniaX1 ,

actually the variable "flowLogs" inventories the NSG with Flow Logs AND Traffic Analytics. It will switch to 1 when both options will be enabled.

image

You can check that with the following "Azure Resource Graph Explorer" command, it will output all NSG with Flow Logs & Traffic Analytics -->

Resources 
| where type =~ 'Microsoft.Network/networkWatchers/flowlogs' 
| extend provisioningState = parse_json(properties).provisioningState 
| extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId) 
| extend targetResourceId = tostring(parse_json(properties).targetResourceId) 
| where workspaceResourceId != "" and provisioningState == "Succeeded" 
| project ["NSG with Traffic Analytics"]=targetResourceId
maniaX1 commented 3 years ago

Yep @JamesDLD you are correct, but it would be great to have there one more column with Flow Logs since you can enable just Flow Logs and Traffic Analytics can be still disabled. I am trying to figure it out but without success :-(

scautomation commented 3 years ago

@maniaX1 just merged @JamesDLD pull request, should be fixed now.

JamesDLD commented 3 years ago

Thank you for the feedback @maniaX1 ! We now have both info, Flow Logs & Traffic Analytics image

maniaX1 commented 3 years ago

Your are welcome @JamesDLD. Thanks for modification now it looks perfect!

kalyan2457 commented 3 years ago

image

Don't we have the possibility of this in the dashboard @scautomation @maniaX1