Skip to content

Commit 2697f35

Browse files
awslesawsles
committed
Update Kusto Graph Explorer Queries.md
1 parent 3ec0403 commit 2697f35

File tree

1 file changed

+122
-6
lines changed

1 file changed

+122
-6
lines changed

AZURE/Kusto Graph Explorer Queries.md

Lines changed: 122 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -120,13 +120,93 @@ Resources
120120
```
121121
Resources
122122
| where type =~ "microsoft.network/networkinterfaces"
123+
| mv-expand ipConfigurations = properties.ipConfigurations
123124
| extend ipCount = array_length(properties.ipConfigurations)
124-
| extend privateIPType = tostring(properties.ipConfigurations[0].properties["privateIPAllocationMethod"])
125-
| extend privateIP = tostring(properties.ipConfigurations[0].properties["privateIPAddress"])
126-
| extend publicIP = tostring(properties.ipConfigurations[0].properties["publicIPAddress"])
127-
| extend subnet = tostring(properties.ipConfigurations[0].properties.subnet["id"])
125+
| extend privateIPType = tostring(ipConfigurations.properties["privateIPAllocationMethod"])
126+
| extend privateIP = tostring(ipConfigurations.properties["privateIPAddress"])
127+
| extend publicIP = tostring(ipConfigurations.properties["publicIPAddress"])
128+
| extend subnet = tostring(ipConfigurations.properties.subnet["id"])
129+
```
130+
131+
132+
### List all Network Interfaces (NICs)
133+
This lists both their public and private IP addresses and associated subnet ID.
134+
```
135+
Resources
136+
| where type =~ "microsoft.network/networkinterfaces"
137+
| mv-expand ipConfigurations = properties.ipConfigurations
138+
| extend ipCount = array_length(properties.ipConfigurations)
139+
| extend privateIPType = tostring(ipConfigurations.properties["privateIPAllocationMethod"])
140+
| extend privateIP = tostring(ipConfigurations.properties["privateIPAddress"])
141+
| extend subnetId = tostring(ipConfigurations.properties.subnet["id"])
142+
| extend publicIPid = tostring(ipConfigurations.properties["publicIPAddress"].id)
143+
| extend nicId = tostring(id)
144+
| join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions'
145+
| project subscriptionName=name, subscriptionId) on subscriptionId
146+
| join kind=leftouter (Resources
147+
| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)
148+
| extend publicIP = tostring(properties.ipAddress),
149+
publicIPid = tostring(id)) on publicIPid
150+
| join kind=leftouter (Resources | where type == "microsoft.network/networksecuritygroups"
151+
| mv-expand nics = properties.networkInterfaces
152+
| extend nicId = tostring (nics.id),
153+
nicNSG = name,
154+
resourceGroupNSG = resourceGroup ) on nicId
155+
| project subscriptionName, name, resourceGroup, location, ipCount, privateIPType, privateIP, publicIP, nicNSG, resourceGroupNSG, tags, subnetId, nicId
128156
```
129157

158+
159+
### List all Network Interfaces (NICs) with NSG detail
160+
This lists all NICs with the associated NSG, subnet, subnet NSG,
161+
and their public and private IP addresses. Very use for seeing which VMs
162+
are protected ny an NSG and which are not.
163+
164+
```
165+
Resources
166+
| where type =~ "microsoft.network/networkinterfaces"
167+
| mv-expand ipConfigurations = properties.ipConfigurations
168+
| extend ipCount = array_length(properties.ipConfigurations)
169+
| extend privateIPType = tostring(ipConfigurations.properties["privateIPAllocationMethod"])
170+
| extend privateIP = tostring(ipConfigurations.properties["privateIPAddress"])
171+
| extend subnetId = tostring(ipConfigurations.properties.subnet["id"])
172+
| extend publicIPid = tostring(ipConfigurations.properties["publicIPAddress"].id)
173+
| extend nicId = tostring(id)
174+
| join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions'
175+
| project subscriptionName=name, subscriptionId) on subscriptionId
176+
| join kind=leftouter (Resources
177+
| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)
178+
| extend publicIP = tostring(properties.ipAddress),
179+
publicIPid = tostring(id)) on publicIPid
180+
| join kind=leftouter (Resources | where type == "microsoft.network/networksecuritygroups"
181+
| mv-expand nics = properties.networkInterfaces
182+
| extend nicId = tostring (nics.id),
183+
nicNSG = name,
184+
nicNSGgroup = resourceGroup ) on nicId
185+
| join kind=leftouter (Resources | where type == "microsoft.network/networksecuritygroups"
186+
| mv-expand subnets = properties.subnets
187+
| extend subnetId = tostring(subnets.id),
188+
vnetName = split(tostring(subnets.id),'/')[8],
189+
subnetName = split(tostring(subnets.id),'/')[10],
190+
subnetNSG = name,
191+
subnetNSGgroup = resourceGroup
192+
) on subnetId
193+
| project subscriptionName, nicName=name, resourceGroup, vnetName, subnetName, nicNSG, subnetNSG, location, ipCount, privateIPType, privateIP, publicIP, tags, subnetId, nicId
194+
```
195+
196+
As there is a limit of four (4) joins ina kusto resource graph query, we can either return the subscription name or the associated VM name.
197+
198+
```
199+
Resources
200+
| where type == "microsoft.compute/virtualmachines" and isnotempty(properties.networkProfile.networkInterfaces)
201+
| extend vmName = name,
202+
vmResourceGroup = resourceGroup,
203+
vmSize = tostring(properties.hardwareProfile.vmSize),
204+
osType = tostring(properties.storageProfile.osDisk.osType),
205+
nicId = tostring(properties.networkProfile.networkInterfaces[0].id)
206+
```
207+
208+
209+
130210
### List FQDNs
131211
This is usually just database servers.
132212
```
@@ -139,7 +219,7 @@ Resources
139219
```
140220
Resources
141221
| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)
142-
| extend publicIP = tostring(properties.ipAddress)
222+
| extend publicIP = tostring(properties.ipAddress)
143223
```
144224

145225

@@ -229,8 +309,44 @@ Resources
229309
| sort by privateIP asc
230310
```
231311

312+
### List all vNets and subnets
313+
This lists them all with associated IP addresses (public and private) and NSGs
314+
315+
```
316+
resources
317+
| where type == "microsoft.network/virtualnetworks"
318+
| mv-expand subnets = properties.subnets
319+
| extend subnetName = subnets.name,
320+
addressPrefix = subnets.properties.addressPrefix,
321+
p = subnets.properties,
322+
subnetId = strcat(id,'/subnets/',subnets.name)
323+
| join kind=leftouter (ResourceContainers | where type =~ 'microsoft.resources/subscriptions'
324+
| project subscriptionName=name, subscriptionId) on subscriptionId
325+
| join kind=leftouter (Resources | where type == "microsoft.network/networksecuritygroups"
326+
| mv-expand subnets = properties.subnets
327+
| extend subnetId = tostring(subnets.id),
328+
subnetNSG = name,
329+
resourceGroupNSG = resourceGroup
330+
) on subnetId
331+
| project subscriptionName, vnetName=name, subnetName, addressPrefix, resourceGroup, location, subnetNSG, resourceGroupNSG, tags, subnetId, id
332+
```
333+
334+
335+
### List all NSGs with associated NICs
336+
337+
```
338+
Resources
339+
| where type == "microsoft.network/networksecuritygroups"
340+
| mv-expand networkInterfaces = properties.networkInterfaces
341+
342+
Resources
343+
| where type == "microsoft.network/networksecuritygroups"
344+
| mv-expand subnets = properties.subnets
345+
| extend subnetId = subnets.id
346+
```
347+
232348

233-
### List Virtuan Networks (VNets) with IP addresses
349+
### List Virtual Networks (VNets) with IP addresses
234350
This is crude as I need to way to count and join all instances
235351

236352
```

0 commit comments

Comments
 (0)