View and configure DDoS diagnostic logging

Azure DDoS Protection standard provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Azure Sentinel, Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

The following diagnostic logs are available for Azure DDoS Protection Standard:

  • DDoSProtectionNotifications: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
  • DDoSMitigationFlowLogs: Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting datapoints during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Azure Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
  • DDoSMitigationReports: Attack mitigation reports uses the Netflow protocol data which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you will be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
  • AllMetrics: Provides all possible metrics available during the duration of a DDoS attack.

In this tutorial, you'll learn how to:

  • Configure DDoS diagnostic logs, including notifications, mitigation reports and mitigation flow logs.
  • Enable diagnostic logging on all public IPs in a defined scope.
  • View log data in workbooks.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.
  • Before you can complete the steps in this tutorial, you must first create a Azure DDoS Standard protection plan and DDoS Protection Standard must be enabled on a virtual network.
  • DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this tutorial, you can quickly create a Windows or Linux virtual machine.  

Configure DDoS diagnostic logs

If you want to automatically enable diagnostic logging on all public IPs within an environment, skip to Enable diagnostic logging on all public IPs.

  1. Select All services on the top, left of the portal.

  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.

  3. Under Settings, select Diagnostic Settings.

  4. Select the Subscription and Resource group that contain the public IP address you want to log.

  5. Select Public IP Address for Resource type, then select the specific public IP address you want to enable logs for.

  6. Select Add diagnostic setting. Under Category Details, select as many of the following options you require, and then select Save.

    DDoS Diagnostic Settings

  7. Under Destination details, select as many of the following options as you require:

    • Archive to a storage account: Data is written to an Azure Storage account. To learn more about this option, see Archive resource logs.
    • Stream to an event hub: Allows a log receiver to pick up logs using an Azure Event Hub. Event hubs enable integration with Splunk or other SIEM systems. To learn more about this option, see Stream resource logs to an event hub.
    • Send to Log Analytics: Writes logs to the Azure Monitor service. To learn more about this option, see Collect logs for use in Azure Monitor logs.

Query DDOS protection logs in log analytics workspace

DDoSProtectionNotifications logs

  1. Under the Log analytics workspaces blade, select your log analytics workspace.

  2. Under General, click on Logs

  3. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last 3 months. Then hit Run.

    AzureDiagnostics
    | where Category == "DDoSProtectionNotifications"
    

DDoSMitigationFlowLogs

  1. Now change the query to the following and keep the same time range and hit Run.

    AzureDiagnostics
    | where Category == "DDoSMitigationFlowLogs"
    

DDoSMitigationReports

  1. Now change the query to the following and keep the same time range and hit Run.

    AzureDiagnostics
    | where Category == "DDoSMitigationReports"
    

Log schemas

The following table lists the field names and descriptions:

Field name Description
TimeGenerated The date and time in UTC when the notification was created.
ResourceId The resource ID of your public IP address.
Category For notifications, this will be DDoSProtectionNotifications.
ResourceGroup The resource group that contains your public IP address and virtual network.
SubscriptionId Your DDoS protection plan subscription ID.
Resource The name of your public IP address.
ResourceType This will always be PUBLICIPADDRESS.
OperationName For notifications, this will be DDoSProtectionNotifications.
Message Details of the attack.
Type Type of notification. Possible values include MitigationStarted. MitigationStopped.
PublicIpAddress Your public IP address.

Enable diagnostic logging on all public IPs

This built-in policy automatically enables diagnostic logging on all public IP logs in a defined scope. See Azure Policy built-in definitions for Azure DDoS Protection Standard for full list of built-in policies.

View log data in workbooks

Azure Sentinel data connector

You can connect logs to Azure Sentinel, view and analyze your data in workbooks, create custom alerts, and incorporate it into investigation processes. To connect to Azure Sentinel, see Connect to Azure Sentinel.

Azure Sentinel DDoS Connector

Azure DDoS Protection Workbook

You can use this Azure Resource Manager (ARM) template to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand what’s at stake.

Deploy to Azure

DDoS Protection Workbook

Validate and test

To simulate a DDoS attack to validate your logs, see Validate DDoS detection.

Next steps

In this tutorial, you learned how to:

  • Configure DDoS diagnostic logs, including notifications, mitigation reports and mitigation flow logs.
  • Enable diagnostic logging on all public IPs in a defined scope.
  • View log data in workbooks.

To learn how to configure attack alerts, continue to the next tutorial.