Few concerns on Azure FW logs

Ananya Sarkar 311 Reputation points
2020-11-30T13:04:47.103+00:00

1) I have created a Azure firewall and added a log analytics workspace for this FW. The threat intelligence is in "Alert & deny" mode. I have added a NAT rule for this FW, to allow port 22 of the VM. But inside FW-> logs, I am not getting the inbound alerts for threat intelligence for this FW, its been more than 4 hrs now. Plz let me know how to get threat intelligence inbound alerts?

2) Also for outbound alert for threat intelligence, an url "testmaliciousdomain.eastus.cloudapp.azure.com" is mentioned in the MS documentation. However this url shows "Site can't be reached" when trying to access it through browser. Is it expected? Do we have any other test malicious site url for testing?

3) I have not created any network rule for this FW, but in FW-> logs, it is showing network rule logs. Does a network rule created automatically when we create a NAT rule?

4) When I am seeing the metrics for FW, it is showing application rule hit count as a high number >600, but from VM i have only accessed few sites manually. In that case how these application rule count is getting increased to a high number? Is there any process runs in the VM that sends some outbound traffic which gets captured as application rule hit count?

5) Do we have Azure FW flow log feature, if yes can you plz provide the documentation link?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
467 questions
0 comments No comments
{count} votes

Accepted answer
  1. suvasara-MSFT 9,931 Reputation points
    2020-12-01T09:27:05.077+00:00

    @Ananya Sarkar ,

    1.Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.

    2.Apologies for the inconvenience. This has been a long-time ask to change this URL as it is not working "testmaliciousdomain.eastus.cloudapp.azure.com". Will work with respective team to provide a quick PR on the doc with working links.

    3.When a DNAT rule is matched, an implicit corresponding network rule to allow the translated traffic is added.

    4.Need to do a repro to see this abnormal behavior. Will revert on this.

    5.Could you please be more specific on this ask? Are you looking for NSG flow logs model here? AFAIK, this feature is not yet available from Firewall team.


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Ananya Sarkar 311 Reputation points
    2020-12-01T08:00:35.12+00:00

    Can anybody plz respond to the queries. It is urgent. @suvasara-MSFT

    0 comments No comments

  2. SaiKishor-MSFT 16,841 Reputation points
    2020-12-02T01:58:59.547+00:00

    @Ananya Sarkar

    Regarding Application rule hit count, please make sure that the time range you are looking at is modified to the last 30 minutes or 1 hour 44244-app-rules.png and the time granularity is set to 1 minute. This gives a better idea on the number of hits for the last hour and calculates the hits per minute. Also, looking into the application logs will give you more clarity on all the hits to that specific application rule. You can use the rule filter option to specify the rule that you want to see and it will show you the hits for that rule44107-2020-12-01-17-51-09-az-microsoft-azure-and-12-more.png. Attached screenshots. Please let me know if this clear up some doubts that you have.