This article is a translation of https://qiita.com/aktsmm/items/c3486b17c0482f7da411
Hello, this is Yamapan.
I have been experimenting with the new structured firewall logs (resource specific) in Azure Firewall.
At the time of writing, this is a preview feature.
Contents
What makes me happy.
The old Azure Firewall new structured firewall logs (resource specific) had to be formatted using a Kusto query (parse process) to make them easier to read. Here's the article on that one!
https://qiita.com/aktsmm/items/380eab220bd892581a19
On the other hand, the structured logs we will be using this time are log data generated by Azure Firewall that is formatted in a certain way, although there is not much difference in the data that can be obtained compared to the conventional firewall logs (Azure Diagnostics). This makes it easier to analyze and visualize the data, find security incidents, and understand traffic trends.
Configuring Diagnostics.
Docs are here, basically you can configure it according to the following, but it took longer for the settings to take effect compared to the traditional firewall logs (Azure Diagnostics). (In my environment, it took about half a day for the settings to take effect and the logs could be viewed in the Log Analytics workspace.)
https://learn.microsoft.com/en-us/azure/firewall/firewall-preview#structured-firewall-logs-preview
Enable in Azure PowerShell
This is a preview only procedure and will not be necessary after GA (General Available).
Connect-AzAccount
Select-AzSubscription -Subscription "subscription_id or subscription_name"
Register-AzProviderFeature -FeatureName AFWEnableStructuredLogs -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.
Microsoft.Network
In my environment, the value did not become registered after one shot of the command (it returned as registering), so if it is not registered, you need to execute the command Register~~~ again until it becomes registered.
Configure Azure Firewall diagnostic settings
This time, we configured as follows.
The key point is that the target table is Resource Specific, not Azure Diagnostics.
If you have old diagnostic settings, try deleting them and re-creating them.
In my environment, I had an old diagnostic configuration (Azure Diagnostics) that I had already created, and I tried to edit it and change the target table to Resource Specific, but for some reason it did not work. I deleted the diagnostic configuration and re-created it with resource-specific diagnostic configuration and it worked.
Using structured firewall logs (resource-specific)
In previous firewall log (Azure Diagnostics), I had to parse the firewall logs, but I think that using the structured firewall logs here I think it is no longer necessary by using this structured firewall log.
SourceIP, DestinationIP, and Action are standard columns, so you don't need to parse to get these information at least (to make it easier to see).
AzureFirewallNetworkRuleLog / AZFWNetworkRule table
kusto query
AZFWNetworkRule
Result Sample
AzureFirewallNATRulelog / AZFWNatRule table
kusto query
AZFWNatRule
Other tables
The AZFW~ tables, including those listed above, include the following.
- AZFWApplicationRule
- AZFWApplicationRuleAggregation
- AZFWDnsQuery
- AZFWFatFlow
- AZFWIdpsSignature
- AZFWInternalFqdnResolutionFailure
- AZFWNatRule
- AZFWNatRuleAggregation
- AZFWNetworkRule
- AZFWNetworkRuleAggregation
- AZFWThreatIntel
For more information, see the description of the target table below, and please try it!
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule