本文提供範例 Kusto 查詢語言 (KQL) 查詢,以協助您有效地分析流量分析資料。 流量分析會處理虛擬網路 (VNet) 流程記錄和網路安全性群組 (NSG) 流程記錄,以提供網路流量模式、安全性事件和效能計量的詳細深入解析。
使用這些查詢來:
- 識別網路流量模式和主要通訊端點
- 監控安全事件並分析潛在威脅
- 疑難排解網路連線問題
- 最佳化網路效能和資源利用率
先決條件
- 為您的流程日誌設定的流量分析。 如需詳細資訊,請參閱 啟用或停用流量分析。
- 存取儲存流程記錄資料的 Log Analytics 工作區。 如需詳細資訊,請參閱 Log Analytics 工作區概觀。
NTANetAnalytics 查詢
本節提供 NTANetAnalytics 資料表的範例查詢,可用來分析虛擬網路流量分析資料。 NTANetAnalytics 資料表包含彙總的流量記錄資料,以及增強的網路分析資訊。 如需資料表結構描述和可用欄位的詳細資訊,請參閱 NTANetAnalytics。
列出與公用 IP 互動的子網路
使用下列查詢來列出過去 30 天內與非 Azure 公用 IP 互動的所有子網路。
NTANetAnalytics
| where SubType == "FlowLog" and FlowStartTime > ago(30d) and FlowType == "ExternalPublic"
| project SrcSubnet, DestSubnet
列出彼此互動的子網路
使用下列查詢列出過去 30 天內彼此交換流量的所有子網路,以及交換的位元組總數。
NTANetAnalytics
| where SubType == 'FlowLog' and FaSchemaVersion == '3' and TimeGenerated > ago(30d)
| where isnotempty(SrcSubnet) and isnotempty(DestSubnet)
| summarize TotalBytes=sum(BytesSrcToDest + BytesDestToSrc) by SrcSubnet, DestSubnet,L4Protocol,DestPort
檢視跨區域流量
使用下列查詢來檢視過去 30 天內的區域內和區域間流量。
NTANetAnalytics
| where TimeGenerated > ago(30d)
| project SrcRegion, DestRegion, BytesDestToSrc, BytesSrcToDest
| where isnotempty(SrcRegion) and isnotempty(DestRegion)
| summarize TransferredBytes=sum(BytesDestToSrc+BytesSrcToDest) by SrcRegion, DestRegion
根據訂閱查看流量
使用下列查詢來檢視過去 30 天內依訂用帳戶分組的 Azure 流量。
NTANetAnalytics
| where TimeGenerated > ago(30d)
| project SrcSubscription, DestSubscription, BytesDestToSrc, BytesSrcToDest
| where isnotempty(SrcSubscription) and isnotempty(DestSubscription)
| summarize TransferredBytes=sum(BytesDestToSrc+BytesSrcToDest) by SrcSubscription, DestSubscription
列出接收最多內部部署流量的虛擬機器
使用下列查詢來檢查哪些虛擬機器接收最多的內部部署流量。
NTANetAnalytics
| where SubType == "FlowLog" and FlowType == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(SrcVm, DestVm) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows + DeniedInFlows + AllowedOutFlows + DeniedOutFlows // For bytes use: | extend traffic = InboundBytes + OutboundBytes
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime from datetime(<time>) to datetime(<time>) step 1m by vm
| render timechart
列出接收最多內部部署流量的 IP
使用下列查詢來檢查哪些 IP 接收最多的內部部署流量。
NTANetAnalytics
| where SubType == "FlowLog" and FlowType == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(SrcIp, DestIp) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows + DeniedInFlows + AllowedOutFlows + DeniedOutFlows // For bytes use: | extend traffic = InboundBytes + OutboundBytes
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime from datetime(<time>) to datetime(<time>) step 1m by vm
| render timechart
列出傳送或接收虛擬機器流量的 IP
使用下列查詢列出過去 30 天內使用虛擬機器 IP 位址與虛擬機器交換資料的所有 IP。
NTANetAnalytics
| where TimeGenerated > ago(30d)
| where SrcIp == "10.1.1.8" and strlen(DestIp)>0
| summarize TotalBytes=sum(BytesDestToSrc+BytesSrcToDest) by SrcIp, DestIp
檢視 ExpressRoute 流量
使用下列查詢來檢視過去 30 天內透過 ExpressRoute 連線的流量。
NTANetAnalytics
| where SubType == 'FlowLog' and TimeGenerated > ago(30d)
| where isnotnull(SrcExpressRouteCircuit) or isnotnull(DestExpressRouteCircuit)
| extend TargetResourceName = tostring(split(TargetResourceId, "/")[2])
| summarize TotalBytes=sum(BytesSrcToDest + BytesDestToSrc) by TargetResourceName, bin(TimeGenerated, 1d)
| render columnchart
檢視負載平衡器流量分佈
使用下列查詢來檢視前面有負載平衡器的應用程式的流量分佈。
NTANetAnalytics
| where SubType == 'FlowLog' and TimeGenerated > ago(30d)
| where SrcLoadBalancer contains 'web' or DestLoadBalancer contains 'web'
| summarize TotalBytes = sum(BytesSrcToDest + BytesDestToSrc) by tostring(SrcIp)
| render piechart
檢查虛擬機器接收的流量標準差
使用下列查詢來檢查虛擬機器從內部部署機器接收的流量的標準偏差。
NTANetAnalytics
| where SubType == "FlowLog" and FlowType == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(SrcVm, DestVm) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows + DeniedInFlows + AllowedOutFlows + DeniedOutFlows // For bytes use: | extend traffic = InboundBytes + OutboundBytes
summarize deviation = stdev(traffic) by vm
檢查IP接收的流量的標準差
使用下列查詢來檢查 IP 從內部部署機器接收的流量標準差。
NTANetAnalytics
| where SubType == "FlowLog" and FlowType == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(SrcIp, DestIp) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows + DeniedInFlows + AllowedOutFlows + DeniedOutFlows // For bytes use: | extend traffic = InboundBytes + OutboundBytes
| summarize deviation = stdev(traffic) by IP
NTAIpDetails 查詢
本節提供 NTAIpDetails 資料表的範例查詢,可用來分析流量分析資料中的 IP 特定資訊。 如需詳細資訊,請參閱 NTAIpDetails。
檢視流程類型和公用 IP 位置
使用下列查詢來瞭解流量分析資料中公用 IP 的流量類型和位置。
NTAIpDetails
| distinct FlowType, PublicIpDetails, Location
檢視惡意流程類型
使用下列查詢來檢視惡意流程中的執行緒類型。
NTAIpDetails
| where TimeGenerated > ago(30d)
| where FlowType == "MaliciousFlow"
| summarize count() by ThreatType
| render piechart
AzureNetworkAnalytics_CL查詢
本節提供 AzureNetworkAnalytics_CL 查詢 資料表的範例查詢,可用來分析流量分析 NSG 流程記錄資料。
列出與公用 IP 互動的所有子網路
使用下列查詢來列出過去 30 天內與非 Azure 公用 IP 互動的所有子網路。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowStartTime_t >= ago(30d) and FlowType_s == "ExternalPublic"
| project Subnet1_s, Subnet2_s
檢視與公用 IP 互動之流程的 Blob 路徑
使用下列查詢來檢視上一個查詢中流程的 Blob 路徑。
let TableWithBlobId =
(AzureNetworkAnalytics_CL
| where SubType_s == "Topology" and ResourceType == "NetworkSecurityGroup" and DiscoveryRegion_s == Region_s and IsFlowEnabled_b
| extend binTime = bin(TimeProcessed_t, 6h),
nsgId = strcat(Subscription_g, "/", Name_s),
saNameSplit = split(FlowLogStorageAccount_s, "/")
| extend saName = iif(arraylength(saNameSplit) == 3, saNameSplit[2], '')
| distinct nsgId, saName, binTime)
| join kind = rightouter (
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog"
| extend binTime = bin(FlowEndTime_t, 6h)
) on binTime, $left.nsgId == $right.NSGList_s
| extend blobTime = format_datetime(todatetime(FlowIntervalStartTime_t), "yyyy MM dd hh")
| extend nsgComponents = split(toupper(NSGList_s), "/"), dateTimeComponents = split(blobTime, " ")
| extend BlobPath = strcat("https://", saName,
"@insights-logs-networksecuritygroupflowevent/resoureId=/SUBSCRIPTIONS/", nsgComponents[0],
"/RESOURCEGROUPS/", nsgComponents[1],
"/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/", nsgComponents[2],
"/y=", dateTimeComponents[0], "/m=", dateTimeComponents[1], "/d=", dateTimeComponents[2], "/h=", dateTimeComponents[3],
"/m=00/macAddress=", replace(@"-", "", MACAddress_s),
"/PT1H.json")
| project-away nsgId, saName, binTime, blobTime, nsgComponents, dateTimeComponents;
TableWithBlobId
| where SubType_s == "FlowLog" and FlowStartTime_t >= ago(30d) and FlowType_s == "ExternalPublic"
| project Subnet_s , BlobPath
上一個查詢建構一個 URL 來直接存取 Blob,如下所示:
https://{storageAccountName}@insights-logs-networksecuritygroupflowevent/resoureId=/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroup}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{networkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
列出接收最多內部部署流量的虛擬機器
使用下列查詢來檢查哪些虛擬機器接收最多的內部部署流量。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(VM1_s, VM2_s) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime_t from datetime(<time>) to datetime(<time>) step 1 m by vm
| render timechart
列出接收最多內部部署流量的 IP
使用下列查詢來檢查哪些 IP 接收最多的內部部署流量。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand IP = pack_array(SrcIP_s, DestIP_s) to typeof(string)
| where isnotempty(IP)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime_t from datetime(<time>) to datetime(<time>) step 1 m by IP
| render timechart
檢查虛擬機器接收的流量標準差
使用下列查詢來檢查虛擬機器從內部部署機器接收的流量的標準偏差。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand vm = pack_array(VM1_s, VM2_s) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + utboundBytes_d
| summarize deviation = stdev(traffic) by vm
檢查IP接收的流量的標準差
使用下列查詢來檢查 IP 從內部部署機器接收的流量標準差。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand IP = pack_array(SrcIP_s, DestIP_s) to typeof(string)
| where isnotempty(IP)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| summarize deviation = stdev(traffic) by IP
使用 NSG 規則檢查哪些埠可在 IP 配對之間連線或封鎖
使用下列查詢來檢查具有 NSG 規則的 IP 配對之間可連線 (或封鎖) 哪些連接埠。
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and TimeGenerated between (startTime .. endTime)
| extend sourceIPs = iif(isempty(SrcIP_s), split(SrcPublicIPs_s," "), pack_array(SrcIP_s)),
destIPs = iif(isempty(DestIP_s), split(DestPublicIPs_s," "), pack_array(DestIP_s))
| mvexpand SourceIp = sourceIPs to typeof(string)
| mvexpand DestIp = destIPs to typeof(string)
| project SourceIp = tostring(split(SourceIp, "|")[0]), DestIp = tostring(split(DestIp, "|")[0]), NSGList_s, NSGRule_s, DestPort_d, L4Protocol_s, FlowStatus_s
| summarize DestPorts= makeset(DestPort_d) by SourceIp, DestIp, NSGList_s, NSGRule_s, L4Protocol_s, FlowStatus_s
防止重複記錄
如果在連線的兩端都啟用流量記錄,則可以在多個裝置上擷取流量。 因此,如果所有流程記錄都匯總在相同的 Log Analytics 工作區中,則可能會出現重複的資料。 有必要包含 FlowDirection 或 MACAddress 防止重複並區分記錄。
在流程/連線中:
-
MacAddress表示正在捕獲流量的裝置的MAC。 -
SrcIp表示從中啟動連線的裝置的 IP 位址。 -
DestIp表示建立連線的裝置的IP位址。 -
FlowDirection表示相對於裝置的連接方向。 例如,當從VM1(IP:10.0.0.4和MAC:A1:B1:C1:D1:E1:F1)建立到VM2(IP:10.0.0.5和MAC:A2:B2:C2:D2:E2:F2)的連線時,如果在VM1FlowDirection上捕獲流量,則此流量將是Outbound,如果在VM2FlowDirection上捕獲流量,則此流量將是Inbound。 -
BytesSrcToDest/PacketsSrcToDest表示從源傳送到目的地的位元組或資料包,無論它們被捕獲到何處。 -
BytesDestToSrc/PacketsDestToSrc表示從目的地傳送到源的位元組或資料包,無論它們被捕獲到何處。
例如,如果使用下列欄位從 VM1 建立連線至 VM2 。
| VM | SrcIp | 德斯特伊普 | 麥克 | 位元組 SrcToDest | 位元組 DestToSrc | 流程方向 |
|---|---|---|---|---|---|---|
| 虛擬機器1 | 10.0.0.4 | 10.0.0.5 | A1-B1-C1-D1-E1-F1 | 100 | 200 | Outbound |
| 虛擬機器2 | 10.0.0.4 | 10.0.0.5 | A2-B2-C2-D2-E2-F2 | 100 | 200 | Inbound |
您可以使用下列任何查詢來計算具有 IP 位址 10.0.0.4 和 MAC 位址 A1:B1:C1:D1:E1:F1的裝置的輸出位元組總數,以取得此裝置所起始的連線。
NTANetAnalytics
| where SubType == "FlowLog"
| where SrcIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1" and FlowDirection == "Outbound"
| summarize totalIniBytes = sum(BytesSrcToDest);
NTANetAnalytics
| where SubType == "FlowLog"
| where SrcIp == "10.0.0.4" and FlowDirection == "Outbound"
| summarize totalIniBytes = sum(BytesSrcToDest);
NTANetAnalytics
| where SubType == "FlowLog"
| where SrcIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1"
| summarize totalIniBytes = sum(BytesSrcToDest);
同樣地,您可以使用下列任何查詢來計算具有 IP 位址 10.0.0.4 和 MAC 位址 A1:B1:C1:D1:E1:F1的裝置的輸出位元組總數,以取得其他裝置與此裝置的連線。
NTANetAnalytics
| where DestIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1" and FlowDirection == "Inbound"
| summarize totalNoniniBytes = sum(BytesDestToSrc)
NTANetAnalytics
| where DestIp == "10.0.0.4" and FlowDirection == "Inbound"
| summarize totalNoniniBytes = sum(BytesDestToSrc)
NTANetAnalytics
| where DestIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1"
| summarize totalNoniniBytes = sum(BytesDestToSrc)
您可以使用下列查詢來計算裝置的輸出位元組總數:
let InitiatedByVM = NTANetAnalytics
| where SubType == "FlowLog"
| where SrcIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1" and FlowDirection == "Outbound"
| summarize totalIniBytes = sum(BytesSrcToDest);
let NotInitiatedByVM = NTANetAnalytics
| where DestIp == "10.0.0.4" and MacAddress == "A1:B1:C1:D1:E1:F1" and FlowDirection == "Inbound"
| summarize totalNoniniBytes = sum(BytesDestToSrc);
InitiatedByVM
| join kind=fullouter NotInitiatedByVM on FlowEndTime
| extend Time = iff(isnotnull(FlowEndTime), FlowEndTime, FlowEndTime1)
| summarize totalMB = (sum(totalIniBytes) + sum(totalNoniniBytes)) / 1024.0 /1024.0;