Can you try to add Log Analytics in Diagnostic Settings and then try to run the query. Please let me know if that helps and if not I can investigate further. Thank you!
Unable to retrieve azure firewall log from portal
Hi,
I was trying to generate log for azure threat intelligence but I am facing an issue.
I am inside the azure FW -> Logs and clicked on "run" for Threat Intelligence rule log data.
However its showing, the below error message,
'where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
If issue persists, please open a support ticket. Request id: 12490ba5-154b-415a-8e11-2152535e64ba
Can anybody plz help me to run the query and get the log for threat intelligence or let me know how to retrieve this log?
5 additional answers
Sort by: Most helpful
-
Ananya Sarkar 311 Reputation points
2020-11-25T05:49:06+00:00 Hi,
I have added the log analytics workspace by navigating to my Azure FW -> Diagnostic Settings -> added the analytics workspace. And ran the query, but it is still showing the error message.
'where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
If issue persists, please open a support ticket. Request id: 25b1b961-1b8c-457d-b901-5de930535462 -
Ananya Sarkar 311 Reputation points
2020-11-25T10:30:13.99+00:00 Hi, I can run the query and get the logs now, probably there is a delay after adding the workspace. Thank you so much for the suggestion.
As per microsoft documentation for FW threat intelligence, I was trying to test the outbound traffic with testmaliciousdomain.eastus.cloudapp.azure.com. I have created an FW application rule with target FQDN as testmaliciousdomain.eastus.cloudapp.azure.com and tried accessing this from the VM through firewall. But i am not getting any alert for this.
Is there anything wrong that I am doing or plz let me know how I can do the setup to get a threat intelligence alert for this. -
Ananya Sarkar 311 Reputation points
2020-11-26T09:54:16.23+00:00 Hi @SaiKishor-MSFT ,
Thank you so much. I have gone through the above github thread and accordingly I have added the application rule for FW, and I can see the outbound alert for this test site.However in MS doc, https://learn.microsoft.com/en-us/azure/firewall/threat-intel, it has mentioned about a log excerpt, so where can i get to see this log in this json format? As in the result section, i can only see these alerts as a list of items.
-
Ananya Sarkar 311 Reputation points
2020-11-27T16:27:13.543+00:00 Today I am getting alerts in my Firewal threat intelligence log, for TCP request going out from port 22 of my VM to some target ip on port 54097, as "bruteforce credential", but I am not generating that from my VM.
I am wondering, how these request are getting initiated from my VM which is inside a FW, plz let me know.