Monitor logs using Azure Firewall Workbook

Azure Firewall Workbook provides a flexible canvas for Azure Firewall data analysis. You can use it to create rich visual reports within the Azure portal. You can tap into multiple Firewalls deployed across Azure, and combine them into unified interactive experiences.

You can gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. Azure Firewall Workbook allows you to filter your firewalls and resource groups, and dynamically filter per category with easy to read data sets when investigating an issue in your logs.


Before starting, you should enable diagnostic logging through the Azure portal. Also, read Azure Firewall logs and metrics for an overview of the diagnostics logs and metrics available for Azure Firewall.

Get started

To deploy the workbook, go to Azure Monitor Workbook for Azure Firewall and following the instructions on the page. Azure Firewall Workbook is designed to work across multi-tenants, multi-subscriptions, and is filterable to multiple firewalls.

Overview page

The overview page provides you with a way to filter across workspaces, time, and firewalls. It shows events by time across firewalls and log types (application, networks, threat intel, DNS proxy).

Azure Firewall Workbook overview

Application rule log statistics

This page shows unique sources of IP address over time, application rule count usage, denied/allowed FQDN over time, and filtered data. You can filter data based on IP address.

Azure Firewall Workbook application rule log

The Web Categories view summarizes all allow and deny access log actions based on severity as configured by the firewall administrator.

Azure Firewall Web Category Summary

Network rule log statistics

This page provides a view by rule action – allow/deny, target port by IP and DNAT over time. You can also filter by action, port, and destination type.

Azure Firewall Workbook network rule log

You can also filter logs based on time window:

Azure Firewall Workbook network rule log time window

IDPS log statistics

This page provides an overview of the IDPS actions count for all traffic that match the IDPS rules: Protocol, Signature ID, Source IP.

Azure Firewall Workbook idps log


You can look at the logs and understand more about the resource based on the source IP address. You can get information like virtual machine name and network interface name. It's simple to filter to the resource from the logs.

Azure Firewall Workbook investigation

Next steps