Azure Log Analytics: Cross-workspace connections

I’ve had the script for a while, but didn’t finish the last part until today. Many of my Azure connected Servers are dual-homed to Azure Monitor Logs (required by our IT Security people). So this report shows me which ones are connected to one or both workspaces.

Instructions:

You need to provide the long form workspace IDs in lines 2 & 3.

In lines 7 & 8 you can change the names from my workspace ones to ones you’ll understand- also change lines 11& 12 to match.

Note: This only works if you have DnsEvents data collected and EventID 257 in particular – this may need enabling on your DNS hosts
I’m also using the WireData table at the end to lookup and resolve the IP to Name, if you dont have this please delete or comment out the final 6 (six) lines.


// define the workspace IDs you want to check
let workspace1 = "a11ae7ae-ce7c-this is a fake line";
let workspace2 = "14a1bb25-c2f4-this is also fake";
DnsEvents
| where Name endswith "oms.opinsights.azure.com" and ClientIP !="::1" and ClientIP !="127.0.0.1"
// !!!! change next six rows to reflect your own workspace names !!!
| summarize mtcWorkspace = iif(countif(Name startswith (workspace1)) > 0 == true," ✅"," ❌"),
Fabrikamltdprod = iif(countif(Name startswith (workspace2)) > 0 == true," ✅"," ❌")
by ClientIP
// After ClientIP these are the Column headings, change to your own
| distinct ClientIP, mtcWorkspace, Fabrikamltdprod
| project ClientIP, mtcWorkspace, Fabrikamltdprod
| join kind=inner (
WireData
| distinct LocalIP, Computer
| project LocalIP, Computer
) on $left.ClientIP == $right.LocalIP
| project-away LocalIP

It should look like this:

This looks great when pinned to an Azure Dashboard – one of the reasons I used the green and red boxes rather than words/numbers in the output – so it stands out more.