Merge pull request #231026 from AbdullahBell/ddos-view-diag-logs

DDoS Protection: View Azure DDOS Protection logs in log analytics workspace

Author: v-stsavell

articles/azure-monitor/essentials/resource-logs-schema.md

@@ -68,13 +68,13 @@ The schema for resource logs varies depending on the resource and log category.
 | Azure Database for MySQL | [Azure Database for MySQL diagnostic logs](../../mysql/concepts-server-logs.md#diagnostic-logs) |
 | Azure Database for PostgreSQL | [Azure Database for PostgreSQL logs](../../postgresql/concepts-server-logs.md#resource-logs) |
 | Azure Databricks | [Diagnostic logging in Azure Databricks](/azure/databricks/administration-guide/account-settings/azure-diagnostic-logs) |
-| Azure DDoS Protection | [Logging for Azure DDoS Protection](../../ddos-protection/monitor-ddos-protection-reference.md#log-schemas) |
+| Azure DDoS Protection | [Logging for Azure DDoS Protection](../../ddos-protection/ddos-view-diagnostic-logs.md#example-log-queries) |
 | Azure Digital Twins | [Set up Azure Digital Twins diagnostics](../../digital-twins/troubleshoot-diagnostics.md#log-schemas)
 | Azure Event Hubs |[Azure Event Hubs logs](../../event-hubs/event-hubs-diagnostic-logs.md) |
 | Azure ExpressRoute | [Monitoring Azure ExpressRoute](../../expressroute/monitor-expressroute.md#collection-and-routing) |
 | Azure Firewall | [Logging for Azure Firewall](../../firewall/logs-and-metrics.md#diagnostic-logs) |
 | Azure Front Door | [Logging for Azure Front Door](../../frontdoor/front-door-diagnostics.md) |
-| Azure Functions | [Monitoring Azure Functions Data Reference Resource Logs](https://learn.microsoft.com/azure/azure-functions/monitor-functions-reference#resource-logs) |
+| Azure Functions | [Monitoring Azure Functions Data Reference Resource Logs](../../azure-functions/monitor-functions-reference.md#resource-logs) |
 | Azure IoT Hub | [IoT Hub operations](../../iot-hub/monitor-iot-hub-reference.md#resource-logs) |
 | Azure IoT Hub Device Provisioning Service| [Device Provisioning Service operations](../../iot-dps/monitor-iot-dps-reference.md#resource-logs) |
 | Azure Key Vault |[Azure Key Vault logging](../../key-vault/general/logging.md) |

articles/ddos-protection/TOC.yml

@@ -68,6 +68,8 @@
       items: 
         - name: View alerts in Microsoft Defender for Cloud
           href: ddos-view-alerts-defender-for-cloud.md
+        - name: View diagnostic logs in Log Analytics workspace
+          href: ddos-view-diagnostic-logs.md
     - name: Test with simulation partners
       href: test-through-simulations.md
     - name: Manage permissions and restrictions

articles/ddos-protection/ddos-view-diagnostic-logs.md

@@ -0,0 +1,116 @@
+---
+title: 'View Azure DDoS Protection logs in Log Analytics workspace'
+description: Learn how to view DDoS protection diagnostic logs in Log Analytics workspace.
+services: ddos-protection
+author: AbdullahBell
+ms.service: ddos-protection
+ms.topic: how-to
+ms.workload: infrastructure-services
+ms.date: 03/22/2023
+ms.author: abell
+---
+
+# View Azure DDoS Protection logs in Log Analytics workspace
+
+In this guide, you'll learn how to view Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs.
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
+- Configure DDoS Protection diagnostic logs. To learn more, see [Configure diagnostic logs](diagnostic-logging.md).
+- Simulate an attack using one of our simulation partners. To learn more, see [Test with simulation partners](test-through-simulations.md).
+
+### View in log analytics workspace
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. In the search box at the top of the portal, enter **Log Analytics workspace**. Select **Log Analytics workspace** in the search results.
+1. Under the **Log Analytics workspaces** blade, select your workspace.
+1. On the left-side tab, select **Logs**. Here you'll see the query explorer. Exit out the *Queries* pane to utilize the *Logs* page. 
+
+    :::image type="content" source="./media/ddos-view-diagnostic-logs/ddos-select-logs-in-workspace.png" alt-text="Screenshot of viewing a log analytics workspace.":::
+
+1. In the *Logs* page, type in your query then hit *Run* to view results.
+
+    :::image type="content" source="./media/ddos-view-diagnostic-logs/ddos-notification-logs.png" alt-text="Screenshot of viewing DDoS Protection notification logs in log analytics workspace.":::
+
+## Example log queries
+
+### DDoS Protection Notifications
+
+Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
+
+```kusto
+    AzureDiagnostics
+    | where Category == "DDoSProtectionNotifications"
+```
+
+
+The following table lists the field names and descriptions:
+
+| Field name | Description |
+| --- | --- |
+| **TimeGenerated** | The date and time in UTC when the notification was created. |
+| **ResourceId** | The resource ID of your public IP address. |
+| **Category** | For notifications, this will be `DDoSProtectionNotifications`.|
+| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
+| **SubscriptionId** | Your DDoS protection plan subscription ID. |
+| **Resource** | The name of your public IP address. |
+| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
+| **OperationName** | For notifications, this will be `DDoSProtectionNotifications`.  |
+| **Message** | Details of the attack. |
+| **Type** | Type of notification. Possible values include `MitigationStarted`. `MitigationStopped`. |
+| **PublicIpAddress** | Your public IP address. |
+
+### DDoS Mitigation FlowLogs
+
+Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
+
+```kusto
+    AzureDiagnostics
+    | where Category == "DDoSMitigationFlowLogs"
+```
+
+| Field name | Description |
+| --- | --- |
+| **TimeGenerated** | The date and time in UTC when the flow log was created. |
+| **ResourceId** | The resource ID of your public IP address. |
+| **Category** | For flow logs, this will be `DDoSMitigationFlowLogs`.|
+| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
+| **SubscriptionId** | Your DDoS protection plan subscription ID. |
+| **Resource** | The name of your public IP address. |
+| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
+| **OperationName** | For flow logs, this will be `DDoSMitigationFlowLogs`. |
+| **Message** | Details of the attack. |
+| **SourcePublicIpAddress** | The public IP address of the client generating traffic to your public IP address. |
+| **SourcePort** | Port number ranging from 0 to 65535. |
+| **DestPublicIpAddress** | Your public IP address. |
+| **DestPort** | Port number ranging from 0 to 65535. |
+| **Protocol** | Type of protocol. Possible values include `tcp`, `udp`, `other`.|
+
+### DDoS Mitigation FlowLogs
+
+Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
+
+```kusto
+    AzureDiagnostics
+    | where Category == "DDoSMitigationReports"
+```
+
+| Field name | Description |
+| --- | --- |
+| **TimeGenerated** | The date and time in UTC when the notification was created. |
+| **ResourceId** | The resource ID of your public IP address. |
+| **Category** | For notifications, this will be `DDoSProtectionNotifications`.|
+| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
+| **SubscriptionId** | Your DDoS protection plan subscription ID. |
+| **Resource** | The name of your public IP address. |
+| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
+| **OperationName** | For notifications, this will be `DDoSProtectionNotifications`.  |
+| **Message** | Details of the attack. |
+| **Type** | Type of notification. Possible values include `MitigationStarted`. `MitigationStopped`. |
+| **PublicIpAddress** | Your public IP address. |
+
+
+## Next steps
+
+*[Engage DDoS Rapid Response](ddos-rapid-response.md)

articles/ddos-protection/diagnostic-logging.md

@@ -52,7 +52,7 @@ In this guide, you'll learn how to configure Azure DDoS Protection diagnostic lo
 
 ### Query Azure DDOS Protection logs in log analytics workspace
 
-For more information on log schemas, see [Monitoring Azure DDoS Protection](monitor-ddos-protection-reference.md#diagnostic-logs).
+For more information on log schemas, see [View diagnostic logs](ddos-view-diagnostic-logs.md#example-log-queries).
 #### DDoSProtectionNotifications logs
 
 1. Under the **Log analytics workspaces** blade, select your log analytics workspace.

articles/ddos-protection/media/ddos-view-diagnostic-logs/ddos-mitigation-logs.png

@@ -5,14 +5,14 @@ author: AbdullahBell
 ms.author: abell
 ms.service: ddos-protection
 ms.topic: conceptual
-ms.date: 12/19/2022
+ms.date: 03/22/2023
 ms.custom: template-concept
 ---
 
 # Monitoring Azure DDoS Protection
 
 
-See [Tutorial: View and configure Azure DDoS protection telemetry](telemetry.md) for details on collecting, analyzing, and monitoring DDoS Protection.
+The following section outlines the metrics of the Azure DDoS Protection service.
 
 ## Metrics
 
@@ -56,87 +56,11 @@ The following [Azure Monitor metrics](../azure-monitor/essentials/metrics-suppor
 | UDPPacketsDroppedDDoS​ | Inbound UDP packets dropped DDoS​ | CountPerSecond​ | Maximum​ | Inbound UDP packets dropped DDoS​ |
 | UDPPacketsForwardedDDoS​ | Inbound UDP packets forwarded DDoS​ | CountPerSecond​ | Maximum​ | Inbound UDP packets forwarded DDoS​ |
 | UDPPacketsInDDoS​ | Inbound UDP packets DDoS​ | CountPerSecond​ | Maximum​ | Inbound UDP packets DDoS​ |
-## Diagnostic logs
-
-See [Tutorial: View and configure Azure DDoS Protection diagnostic logging](diagnostic-logging.md) for details on attack insights and visualization with DDoS Attack Analytics.
-
-The following diagnostic logs are available for Azure DDoS Protection:
-
-- **DDoSProtectionNotifications**: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
-- **DDoSMitigationFlowLogs**: Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.
-- **DDoSMitigationReports**: Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.
-- **AllMetrics**: Provides all possible metrics available during the duration of a DDoS attack.
-
-## Log schemas
-
-The following table lists the field names and descriptions:
-
-# [DDoSProtectionNotifications](#tab/DDoSProtectionNotifications)
-
-| Field name | Description |
-| --- | --- |
-| **TimeGenerated** | The date and time in UTC when the notification was created. |
-| **ResourceId** | The resource ID of your public IP address. |
-| **Category** | For notifications, this will be `DDoSProtectionNotifications`.|
-| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
-| **SubscriptionId** | Your DDoS protection plan subscription ID. |
-| **Resource** | The name of your public IP address. |
-| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For notifications, this will be `DDoSProtectionNotifications`.  |
-| **Message** | Details of the attack. |
-| **Type** | Type of notification. Possible values include `MitigationStarted`. `MitigationStopped`. |
-| **PublicIpAddress** | Your public IP address. |
-
-# [DDoSMitigationFlowLogs](#tab/DDoSMitigationFlowLogs)
-
-| Field name | Description |
-| --- | --- |
-| **TimeGenerated** | The date and time in UTC when the flow log was created. |
-| **ResourceId** | The resource ID of your public IP address. |
-| **Category** | For flow logs, this will be `DDoSMitigationFlowLogs`.|
-| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
-| **SubscriptionId** | Your DDoS protection plan subscription ID. |
-| **Resource** | The name of your public IP address. |
-| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For flow logs, this will be `DDoSMitigationFlowLogs`. |
-| **Message** | Details of the attack. |
-| **SourcePublicIpAddress** | The public IP address of the client generating traffic to your public IP address. |
-| **SourcePort** | Port number ranging from 0 to 65535. |
-| **DestPublicIpAddress** | Your public IP address. |
-| **DestPort** | Port number ranging from 0 to 65535. |
-| **Protocol** | Type of protocol. Possible values include `tcp`, `udp`, `other`.|
-
-# [DDoSMitigationReports](#tab/DDoSMitigationReports)
-
-| Field name | Description |
-| --- | --- |
-| **TimeGenerated** | The date and time in UTC when the report was created. |
-| **ResourceId** | The resource ID of your public IP address. |
-| **Category** | For notifications, this will be `DDoSMitigationReports`.|
-| **ResourceGroup** | The resource group that contains your public IP address and virtual network. |
-| **SubscriptionId** | Your DDoS protection plan subscription ID. |
-| **Resource** | The name of your public IP address. |
-| **ResourceType** | This will always be `PUBLICIPADDRESS`. |
-| **OperationName** | For mitigation reports, this will be `DDoSMitigationReports`. |
-| **ReportType** | Possible values include `Incremental`, `PostMitigation`.|
-| **MitigationPeriodStart** | The date and time in UTC when the mitigation started.  |
-| **MitigationPeriodEnd** | The date and time in UTC when the mitigation ended. |
-| **IPAddress** | Your public IP address. |
-| **AttackVectors** |  Breakdown of attack types. Keys include `TCP SYN flood`, `TCP flood`, `UDP flood`, `UDP reflection`, `Other packet flood`.|
-| **TrafficOverview** |  Breakdown of attack traffic. Keys include `Total packets`, `Total packets dropped`, `Total TCP packets`, `Total TCP packets dropped`, `Total UDP packets`, `Total UDP packets dropped`, `Total Other packets`, `Total Other packets dropped`. |
-| **Protocols** | Breakdown of protocols involved. Keys include `TCP`, `UDP`, `Other`. |
-| **DropReasons** | Breakdown of reasons for dropped packets. Keys include `Protocol violation invalid TCP syn`, `Protocol violation invalid TCP`, `Protocol violation invalid UDP`, `UDP reflection`, `TCP rate limit exceeded`, `UDP rate limit exceeded`, `Destination limit exceeded`, `Other packet flood`, `Rate limit exceeded`, `Packet was forwarded to service`. |
-| **TopSourceCountries** | Breakdown of top 10 source countries/regions of incoming traffic. |
-| **TopSourceCountriesForDroppedPackets** | Breakdown of top 10 source countries/regions of attack traffic that is/was mitigated. |
-| **TopSourceASNs** | Breakdown of top 10 source autonomous system numbers (ASN) of the incoming traffic.  |
-| **SourceContinents** | Breakdown of the source continents of incoming traffic. |
-***
 
 ## Next steps
 
-> [!div class="nextstepaction"]
-> [View and configure DDoS diagnostic logging](diagnostic-logging.md)
->
-> [Test with simulation partners](test-through-simulations.md)
+* [Configure DDoS Alerts](alerts.md)
+* [View alerts in Microsoft Defender for Cloud](ddos-view-alerts-defender-for-cloud.md)
+* [Test with simulation partners](test-through-simulations.md)