Tutorial: View and configure Azure DDoS Protection diagnostic logging

Azure DDoS Protection provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Microsoft Sentinel, Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

The following diagnostic logs are available for Azure DDoS Protection:

  • DDoSProtectionNotifications: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
  • DDoSMitigationFlowLogs: Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
  • DDoSMitigationReports: Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
  • AllMetrics: Provides all possible metrics available during the duration of a DDoS attack.

In this tutorial, you'll learn how to:

  • Configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs.
  • Enable diagnostic logging on all public IPs in a defined scope.
  • View log data in workbooks.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.
  • Before you can complete the steps in this tutorial, you must first create a Azure DDoS protection plan. DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address.
  • DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this tutorial, you can quickly create a Windows or Linux virtual machine.

Configure Azure DDoS Protection diagnostic logs

If you want to automatically enable diagnostic logging on all public IPs within an environment, skip to Enable diagnostic logging on all public IPs.

  1. Select All services on the top, left of the portal.

  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.

  3. Under Settings, select Diagnostic Settings.

  4. Select the Subscription and Resource group that contain the public IP address you want to log.

  5. Select Public IP Address for Resource type, then select the specific public IP address you want to enable logs for.

  6. Select Add diagnostic setting. Under Category Details, select as many of the following options you require, and then select Save.

    Screenshot of DDoS diagnostic settings.

  7. Under Destination details, select as many of the following options as you require:

    • Archive to a storage account: Data is written to an Azure Storage account. To learn more about this option, see Archive resource logs.
    • Stream to an event hub: Allows a log receiver to pick up logs using Azure Event Hubs. Event hubs enable integration with Splunk or other SIEM systems. To learn more about this option, see Stream resource logs to an event hub.
    • Send to Log Analytics: Writes logs to the Azure Monitor service. To learn more about this option, see Collect logs for use in Azure Monitor logs.

Query Azure DDOS Protection logs in log analytics workspace

For more information on log schemas, see Monitoring Azure DDoS Protection.

DDoSProtectionNotifications logs

  1. Under the Log analytics workspaces blade, select your log analytics workspace.

  2. Under General, select on Logs

  3. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.

    AzureDiagnostics
    | where Category == "DDoSProtectionNotifications"
    
  4. To view DDoSMitigationFlowLogs change the query to the following and keep the same time range and hit Run.

    AzureDiagnostics
    | where Category == "DDoSMitigationFlowLogs"
    
  5. To view DDoSMitigationReports change the query to the following and keep the same time range and hit Run.

    AzureDiagnostics
    | where Category == "DDoSMitigationReports"
    

Enable diagnostic logging on all public IPs

This built-in policy automatically enables diagnostic logging on all public IP logs in a defined scope. See Azure Policy built-in definitions for Azure DDoS Protection for full list of built-in policies.

View log data in workbooks

Microsoft Sentinel data connector

You can connect logs to Microsoft Sentinel, view and analyze your data in workbooks, create custom alerts, and incorporate it into investigation processes. To connect to Microsoft Sentinel, see Connect to Microsoft Sentinel.

Screenshot of Microsoft Sentinel DDoS Connector.

Azure DDoS Protection workbook

You can use this Azure Resource Manager (ARM) template to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand what’s at stake.

Deploy to Azure

Screenshot of Azure DDoS Protection Workbook.

Validate and test

To simulate a DDoS attack to validate your logs, see Test with simulation partners.

Next steps

In this tutorial, you learned how to:

  • Configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs.
  • Enable diagnostic logging on all public IPs in a defined scope.
  • View log data in workbooks.

To learn how to configure attack alerts, continue to the next tutorial.