Hybrid Cloud logo

Log Analytics Syntax post series: #4 : WireData

One of the most interesting set of syntax has been the use of WireData, I’m not really a networking person but they way you can visualise and assess the data is very useful.
For all of these replace aDomainName.co.uk with your own FQDN

I started to look at traffic from a Subnet and the Remote (or Local) IP Addresses that were being used, this helped identify an increase in traffic we had seen in the OMS Usage report:
Type=WireData LocalSubnet=”192.168.35.0/24″ | measure count() by RemoteIP
or
Type=WireData LocalSubnet=”192.168.35.0/24″ | measure count() by LocalIP
A variant of the above is to sort by Remote Country, this was useful to understand that we had a lot of outbound traffic (in our case to the US mainly). This could be useful to identify where remote computers are located, its a very visual query to identify the countries in order of most traffic.
Type=WireData LocalSubnet=”192.168.35.0/24″ | measure count() by RemoteIPCountry
I also found combing IP address with RegEx the best way to look at ranges of addresses:
Type=WireData RemoteIP!=RegEx(“192.168.35.*”) | Select RemoteIP | Dedup Computer
You can modify the above by adding other fields to the Select statement, such as Select RemoteIP, Computer, RemoteIPCountry
——————————————————————————————————————————————————————————————
If you combine the above with a Computer name RegEx filter you can further reduce the results:
Type=WireData RemoteIP!=RegEx(“192.168.35.*”) (Computer=RegEx(“..@.aDomainName.co.uk”)) | Select RemoteIP | Dedup RemoteIP
Next I wanted to see the data without the local address (127.0.0.1) and local subnet, the “!=” means NOT in the OMS Query language:
Type=WireData (RemoteIP!=RegEx(“192.168.35.*”) OR RemoteIP!=”127.0.0.1″ AND Computer=RegEx(“@2016.aDomainName.co.uk”)) | Measure count (RemoteIP) by RemoteIP
In this modification I added the country name as well as outbound traffic as a filter:
Type=WireData (RemoteIP!=RegEx(“192.168.35.*”) OR RemoteIP!=RegEx(“192.168.34.*”) OR RemoteIP!=”127.0.0.1″ AND Computer=RegEx(“DC@.aDomainName.co.uk”)) (Direction=Outbound) | Measure count () By RemoteIPCountry

Related posts