Unable to retrieve azure firewall log from portal

Ananya Sarkar 311 Reputation points
2020-11-24T16:07:21.627+00:00

Hi,

I was trying to generate log for azure threat intelligence but I am facing an issue.

I am inside the azure FW -> Logs and clicked on "run" for Threat Intelligence rule log data.
However its showing, the below error message,
'where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
If issue persists, please open a support ticket. Request id: 12490ba5-154b-415a-8e11-2152535e64ba

Can anybody plz help me to run the query and get the log for threat intelligence or let me know how to retrieve this log?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,231 Reputation points
    2020-11-24T19:26:14.237+00:00

    @Ananya Sarkar

    Can you try to add Log Analytics in Diagnostic Settings and then try to run the query. Please let me know if that helps and if not I can investigate further. Thank you!

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Ananya Sarkar 311 Reputation points
    2020-11-25T05:49:06+00:00

    Hi,

    I have added the log analytics workspace by navigating to my Azure FW -> Diagnostic Settings -> added the analytics workspace. And ran the query, but it is still showing the error message.
    'where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
    If issue persists, please open a support ticket. Request id: 25b1b961-1b8c-457d-b901-5de930535462

    0 comments No comments

  2. Ananya Sarkar 311 Reputation points
    2020-11-25T10:30:13.99+00:00

    Hi, I can run the query and get the logs now, probably there is a delay after adding the workspace. Thank you so much for the suggestion.

    As per microsoft documentation for FW threat intelligence, I was trying to test the outbound traffic with testmaliciousdomain.eastus.cloudapp.azure.com. I have created an FW application rule with target FQDN as testmaliciousdomain.eastus.cloudapp.azure.com and tried accessing this from the VM through firewall. But i am not getting any alert for this.
    Is there anything wrong that I am doing or plz let me know how I can do the setup to get a threat intelligence alert for this.


  3. Ananya Sarkar 311 Reputation points
    2020-11-26T09:54:16.23+00:00

    Hi @SaiKishor-MSFT ,
    Thank you so much. I have gone through the above github thread and accordingly I have added the application rule for FW, and I can see the outbound alert for this test site.

    However in MS doc, https://learn.microsoft.com/en-us/azure/firewall/threat-intel, it has mentioned about a log excerpt, so where can i get to see this log in this json format? As in the result section, i can only see these alerts as a list of items.


  4. Ananya Sarkar 311 Reputation points
    2020-11-27T16:27:13.543+00:00

    Today I am getting alerts in my Firewal threat intelligence log, for TCP request going out from port 22 of my VM to some target ip on port 54097, as "bruteforce credential", but I am not generating that from my VM.
    I am wondering, how these request are getting initiated from my VM which is inside a FW, plz let me know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.