Azure DDoS Protection Workbook

Ravichandran, Gopi Krishna 161 Reputation points
2022-06-20T19:46:07.973+00:00

Hi,

Our hub vnet is now enabled with Azure DDoS protection plan and I was trying to create Azure DDoS Protection workbook using the templates available. I also ensured that diagnostics settings is enabled for the Public IP Address (Which enables the DDoS Mitigation Flow logs, and Mitigation Reports) within the hub Vnet. When, executing the following DDoS mitigation reports query in log analytics, ran into below error. Please could you help what's going wrong. Azure Workbook does not populates the DDoS metrics :(

AzureDiagnostics
| where Category == "DDoSProtectionNotifications" or Category == "DDoSMitigationReports"
| where Resource in~ (split("{Resource:label}", ", "))
| extend TotalTCPPackets = toint(tostring(parse_json(TrafficOverview_s).Total_TCP_packets))
| extend TotalTCPPacketsDropped = toint(tostring(parse_json(TrafficOverview_s).Total_TCP_packets_dropped))
| extend TotalUDPPackets = toint(tostring(parse_json(TrafficOverview_s).Total_UDP_packets))
| extend TotalUDPPacketsDropped = toint(tostring(parse_json(TrafficOverview_s).Total_UDP_packets_dropped))
| extend TotalOtherPackets = toint(tostring(parse_json(TrafficOverview_s).Total_other_packets))
| extend TotalOtherPacketsDropped = toint(tostring(parse_json(TrafficOverview_s).Total_other_packets_dropped))
| extend TotalPackets = toint(tostring(parse_json(TrafficOverview_s).Total_packets))
| extend TotalPacketsDropped = toint(tostring(parse_json(TrafficOverview_s).Total_packets_dropped))
| summarize sum(TotalPacketsDropped), sum(TotalPackets), sum(TotalUDPPackets),sum(TotalUDPPacketsDropped),sum(TotalOtherPackets),sum(TotalOtherPacketsDropped),sum(TotalTCPPackets),sum(TotalTCPPacketsDropped)
| extend TotalPackets = sum_TotalPackets , TotalPacketsDropped = sum_TotalPacketsDropped, TotalUDPPackets = sum_TotalUDPPackets, TotalUDPPacketsDropped = sum_TotalUDPPacketsDropped, TotalOtherPackets = sum_TotalOtherPackets, TotalOtherPacketsDropped = sum_TotalOtherPacketsDropped, TotalTCPPackets = sum_TotalTCPPackets, TotalTCPPacketsDropped = sum_TotalTCPPacketsDropped
| project TotalPackets, TotalPacketsDropped, TotalTCPPackets, TotalTCPPacketsDropped, TotalUDPPackets, TotalUDPPacketsDropped, TotalOtherPackets, TotalOtherPacketsDropped
| evaluate narrow()
| extend TableName = Column
| extend Count = Value
| project TableName, Count

Error: 'extend' operator: Failed to resolve scalar expression named 'TrafficOverview_s'...

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
63 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,086 Reputation points Microsoft Employee
    2022-06-22T12:25:56.05+00:00

    Hello @Ravichandran, Gopi Krishna ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have a hub Vnet enabled with Azure DDoS protection plan and were trying to create Azure DDoS Protection workbook by enabling the diagnostics settings for the Public IP address within the hub Vnet but when executing the DDoS mitigation reports query in log analytics, you got the error "'extend' operator: Failed to resolve scalar expression named 'TrafficOverview_s'".

    The DDoS logs are available only when a resource is actually under attack.

    DDoSProtectionNotifications: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
    DDoSMitigationReports: Attack mitigation reports uses the Netflow protocol data which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts.
    Refer : https://learn.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications

    If there was no real attack, I would request you to simulate a DDoS attack and then query the logs to validate the parameters.
    Refer : https://learn.microsoft.com/en-us/azure/ddos-protection/test-through-simulations

    Azure has the below approved testing partners:

    • BreakingPoint Cloud: a self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
    • Red Button: work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.

    Refer : https://learn.microsoft.com/en-us/azure/ddos-protection/test-through-simulations#azure-ddos-simulation-testing-policy

    You can create an account for BreakingPoint Cloud and then follow the steps mentioned in the above doc to simulate a DDoS attack against Azure-hosted public IP addresses that belong to an Azure subscription of your own, which will be validated by Azure Active Directory (Azure AD) before testing.

    After simulating a DDoS attack, try the below query to check if you get the data and then you can apply the required filters to your query:
    AzureDiagnostics
    | where Category == "DDoSProtectionNotifications" or "DDoSMitigationReports"

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest