Merge pull request #209500 from AbdullahBell/DDoSDiagFreshness

prmerger-automator[bot] · web-flow · commit 311d7aeb188d · 2022-08-29T17:33:15.000Z
DDoS Protection: View and configure DDoS diagnostic logging | Freshness update
diff --git a/articles/ddos-protection/diagnostic-logging.md b/articles/ddos-protection/diagnostic-logging.md
@@ -8,20 +8,20 @@ ms.service: ddos-protection
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: infrastructure-services
-ms.date: 12/28/2020
+ms.date: 08/29/2022
 ms.author: abell
 
 ---
 
-# View and configure DDoS diagnostic logging
+# Tutorial: View and configure DDoS diagnostic logging
 
 Azure DDoS Protection standard provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with [Microsoft Sentinel](../sentinel/data-connectors-reference.md#azure-ddos-protection), Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.
 
 The following diagnostic logs are available for Azure DDoS Protection Standard: 
 
 - **DDoSProtectionNotifications**: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
 - **DDoSMitigationFlowLogs**: Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting datapoints during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
-- **DDoSMitigationReports**: Attack mitigation reports uses the Netflow protocol data which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you will be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over. 
+- **DDoSMitigationReports**: Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over. 
 - **AllMetrics**: Provides all possible metrics available during the duration of a DDoS attack. 
 
 In this tutorial, you'll learn how to:
@@ -48,8 +48,9 @@ If you want to automatically enable diagnostic logging on all public IPs within
 5. Select **Public IP Address** for **Resource type**, then select the specific public IP address you want to enable logs for.
 6. Select **Add diagnostic setting**. Under **Category Details**, select as many of the following options you require, and then select **Save**.
 
-    ![DDoS Diagnostic Settings](./media/ddos-attack-telemetry/ddos-diagnostic-settings.png)
+    :::image type="content" source="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png" alt-text="Screenshot of DDoS diagnostic settings." lightbox="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png":::
 
+    
 7. Under **Destination details**, select as many of the following options as you require:
 
     - **Archive to a storage account**: Data is written to an Azure Storage account. To learn more about this option, see [Archive resource logs](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-storage).
@@ -64,7 +65,7 @@ If you want to automatically enable diagnostic logging on all public IPs within
 
 4. Under **General**, click on **Logs**
 
-5. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last 3 months. Then hit Run.
+5. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.
 
     ```kusto
     AzureDiagnostics
@@ -164,15 +165,17 @@ This [built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/Po
 
 You can connect logs to Microsoft Sentinel, view and analyze your data in workbooks, create custom alerts, and incorporate it into investigation processes. To connect to Microsoft Sentinel, see [Connect to Microsoft Sentinel](../sentinel/data-connectors-reference.md#azure-ddos-protection). 
 
-![Microsoft Sentinel DDoS Connector](./media/ddos-attack-telemetry/azure-sentinel-ddos.png)
+
+:::image type="content" source="./media/ddos-attack-telemetry/azure-sentinel-ddos.png" alt-text="Screenshot of Microsoft Sentinel DDoS Connector." lightbox="./media/ddos-attack-telemetry/azure-sentinel-ddos.png":::
 
 ### Azure DDoS Protection Workbook
 
 You can use [this Azure Resource Manager (ARM) template](https://aka.ms/ddosworkbook) to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand what’s at stake. 
 
 [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%20DDoS%20Protection%2FWorkbook%20-%20Azure%20DDOS%20monitor%20workbook%2FAzureDDoSWorkbook_ARM.json)
 
-![DDoS Protection Workbook](./media/ddos-attack-telemetry/ddos-attack-analytics-workbook.png)
+
+:::image type="content" source="./media/ddos-attack-telemetry/ddos-attack-analytics-workbook.png" alt-text="Screenshot of DDoS Protection Workbook." lightbox="./media/ddos-attack-telemetry/ddos-attack-analytics-workbook.png":::
 
 ## Validate and test
 
