Integrate and export diagnostic logs into SIEM
Implementation Effort: Medium
User Impact: Low
Overview
After enabling diagnostic logging for Azure DDoS Protection, Azure Firewall, and Azure WAF stream these logs into your SIEM—such as Microsoft Sentinel via its built-in data connectors.
When ingesting your network security logs into a SIEM via a Log Analytics workspace, include the key diagnostic categories from each service to ensure full visibility and actionable insights:
- Azure DDoS Protection:
DDoSProtectionNotifications
,DDoSMitigationReports
, andDDoSMitigationFlowLogs
to track attack detections, mitigation actions, and traffic details - Azure Firewall:
AzureFirewallNetworkRule
,AzureFirewallApplicationRule
,AzureFirewallThreatIntel
, andAzureFirewallIdpsSignature
logs to capture all rule matches, threat-intel blocks, and intrusion detections - Azure WAF (Front Door & App Gateway):
WebApplicationFirewallLog
,FrontdoorAccessLog
, andFrontdoorHealthProbeLog
for Front Door;ApplicationGatewayFirewallLog
,ApplicationGatewayAccessLog
, andApplicationGatewayPerformanceLog
for Application Gateway—so you can monitor blocked requests, traffic patterns, and gateway health
These logs, once collected in Log Analytics and routed into your SIEM, provide the foundation for automated alerts, playbook-driven responses, dashboards, and advanced threat hunting—ensuring you maintain a robust Zero Trust network security posture.