|
| 1 | +--- |
| 2 | +title: 'Configure Azure DDoS Protection diagnostic logging alerts' |
| 3 | +description: Learn how to configure DDoS protection diagnostic alerts for Azure DDoS Protection. |
| 4 | +services: ddos-protection |
| 5 | +documentationcenter: na |
| 6 | +author: AbdullahBell |
| 7 | +ms.service: ddos-protection |
| 8 | +ms.topic: how-to |
| 9 | +ms.tgt_pltfrm: na |
| 10 | +ms.workload: infrastructure-services |
| 11 | +ms.date: 01/30/2023 |
| 12 | +ms.author: abell |
| 13 | +--- |
| 14 | + |
| 15 | +# Configure Azure DDoS Protection diagnostic logging alerts |
| 16 | + |
| 17 | +Azure DDoS Protection provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with [Microsoft Sentinel](../sentinel/data-connectors-reference.md#azure-ddos-protection), Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface. |
| 18 | + |
| 19 | +In this article, you'll learn how to configure diagnostic logging alerts through Azure Monitor and Logic App. |
| 20 | + |
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 24 | +- Before you can complete the steps in this guide, you must first create a [Azure DDoS Protection plan](manage-ddos-protection.md). DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address. |
| 25 | +- In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md). |
| 26 | +- DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine. |
| 27 | + |
| 28 | +## Configure diagnostic logging alerts through Azure Monitor |
| 29 | + |
| 30 | +With these templates, you'll be able to configure alerts for all public IP addresses that you have enabled diagnostic logging on. |
| 31 | + |
| 32 | +### Create Azure Monitor alert rule |
| 33 | + |
| 34 | +The Azure Monitor alert rule template will run a query against the diagnostic logs to detect when an active DDoS mitigation is occurring. The alert indicates a potential attack. Action groups can be used to invoke actions as a result of the alert. |
| 35 | + |
| 36 | + |
| 37 | +#### Deploy the template |
| 38 | + |
| 39 | +1. Select **Deploy to Azure** to sign in to Azure and open the template. |
| 40 | + |
| 41 | + [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAlert%2520-%2520DDOS%2520Mitigation%2520started%2520azure%2520monitor%2520alert%2FDDoSMitigationStarted.json) |
| 42 | + |
| 43 | +1. On the *Custom deployment* page, under *Project details*, enter the following information. |
| 44 | +:::image type="content" source="./media/manage-ddos-protection/ddos-deploy-alert.png" alt-text="Screenshot of Azure Monitor alert rule template."::: |
| 45 | + |
| 46 | + | Setting | Value | |
| 47 | + |--|--| |
| 48 | + | Subscription | Select your Azure subscription. | |
| 49 | + | Resource Group | Select your Resource group. | |
| 50 | + | Region | Select your Region. | |
| 51 | + | Workspace Name | Enter your workspace name. In this example the *Workspace name* is **myLogAnalyticsWorkspace**. | |
| 52 | + | Location | Enter **East US**. | |
| 53 | + |
| 54 | + > [!NOTE] |
| 55 | + > *Location* must match the location of the workspace. |
| 56 | + |
| 57 | +1. Select **Review + create** and then select **Create** after validation passes. |
| 58 | + |
| 59 | + |
| 60 | +### Create Azure Monitor diagnostic logging alert rule with Logic App |
| 61 | + |
| 62 | +This DDoS Mitigation Alert Enrichment template deploys the necessary components of an enriched DDoS mitigation alert: Azure Monitor alert rule, action group, and Logic App. The result of the process is an email alert with details about the IP address under attack, including information about the resource associated with the IP. The owner of the resource is added as a recipient of the email, along with the security team. A basic application availability test is also performed and the results are included in the email alert. |
| 63 | +#### Deploy the template |
| 64 | + |
| 65 | +1. Select **Deploy to Azure** to sign in to Azure and open the template. |
| 66 | + |
| 67 | + [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAutomation%2520-%2520DDoS%2520Mitigation%2520Alert%2520Enrichment%2FEnrich-DDoSAlert.json) |
| 68 | + |
| 69 | +1. On the *Custom deployment* page, under *Project details*, enter the following information. |
| 70 | +:::image type="content" source="./media/manage-ddos-protection/ddos-deploy-alert-logic-app.png" alt-text="Screenshot of DDoS Mitigation Alert Enrichment template."::: |
| 71 | + |
| 72 | + | Setting | Value | |
| 73 | + |--|--| |
| 74 | + | Subscription | Select your Azure subscription. | |
| 75 | + | Resource Group | Select your Resource group. | |
| 76 | + | Region | Select your Region. | |
| 77 | + | Alert Name | Leave as default. | |
| 78 | + | Security Team Email | Enter the required email address. | |
| 79 | + | Company Domain | Enter the required domain. | |
| 80 | + | Workspace Name | Enter your workspace name. In this example the *Workspace name* is **myLogAnalyticsWorkspace**. | |
| 81 | + |
| 82 | +1. Select **Review + create** and then select **Create** after validation passes. |
| 83 | + |
| 84 | +## Clean up resources |
| 85 | +You can keep your resources for the next guide. If no longer needed, delete the alerts. |
| 86 | + |
| 87 | +1. In the search box at the top of the portal, enter **Alerts**. Select **Alerts** in the search results. |
| 88 | + |
| 89 | + :::image type="content" source="./media/manage-ddos-protection/ddos-protection-alert-rule.png" alt-text="Screenshot of Alerts page."::: |
| 90 | + |
| 91 | +1. Select **Alert rules**, then in the Alert rules page, select your subscription. |
| 92 | + |
| 93 | + :::image type="content" source="./media/manage-ddos-protection/ddos-protection-delete-alert-rules.png" alt-text="Screenshot of Alert rules page."::: |
| 94 | + |
| 95 | +1. Select the alerts created in this guide, then select **Delete**. |
| 96 | + |
| 97 | +## Next steps |
| 98 | + |
| 99 | +In this article, you learned how to configure diagnostic logging alerts through Azure Monitor. |
| 100 | + |
| 101 | +To learn how to test and simulate a DDoS attack, see the simulation testing guide: |
| 102 | + |
| 103 | +> [!div class="nextstepaction"] |
| 104 | +> [Test through simulations](test-through-simulations.md) |
0 commit comments